idnits 2.17.1 draft-turner-km-attributes-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 1940 has weird spacing: '...alue of the k...' -- The document date (October 13, 2015) is 3119 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 2973 -- Looks like a reference, but probably isn't: '2' on line 2974 -- Looks like a reference, but probably isn't: '0' on line 2971 -- Looks like a reference, but probably isn't: '3' on line 2975 -- Looks like a reference, but probably isn't: '4' on line 2817 -- Looks like a reference, but probably isn't: '5' on line 2832 -- Looks like a reference, but probably isn't: '6' on line 2833 -- Looks like a reference, but probably isn't: '7' on line 2844 -- Looks like a reference, but probably isn't: '8' on line 2845 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Timmel 3 Internet-Draft National Security Agency 4 Intended Status: Informational R. Housley 5 Expires: April 15, 2016 Vigil Security 6 S. Turner 7 IECA 8 October 13, 2015 10 NSA's Cryptographic Message Syntax (CMS) Key Management Attributes 11 draft-turner-km-attributes-06.txt 13 Abstract 15 This document defines key management attributes used by the National 16 Security Agency (NSA). The attributes can appear in asymmetric 17 and/or symmetric key packages as well as the Cryptographic Message 18 Syntax (CMS) content types that subsequently envelope the key 19 packages. Key packages described in RFC 5958 and RFC 6031 are 20 examples where these attributes can be used. 22 Status of this Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 Copyright and License Notice 39 Copyright (c) 2015 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 50 ID NSA's CMS Key Management Attributes October 13, 2015 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 1.1. Attribute Locations . . . . . . . . . . . . . . . . . . . . 3 59 1.2. ASN.1 Notation . . . . . . . . . . . . . . . . . . . . . . 4 60 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 5 61 2. CMS-Defined Attributes . . . . . . . . . . . . . . . . . . . . 6 62 3. Community Identifiers . . . . . . . . . . . . . . . . . . . . . 7 63 4. Key Province Attribute . . . . . . . . . . . . . . . . . . . . 8 64 5. Binary Signing Time . . . . . . . . . . . . . . . . . . . . . . 8 65 6. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 66 7. Key Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 9 67 8. User Certificate . . . . . . . . . . . . . . . . . . . . . . . 11 68 9. Key Package Receivers . . . . . . . . . . . . . . . . . . . . . 11 69 10. TSEC Nomenclature . . . . . . . . . . . . . . . . . . . . . . 13 70 11. Key Purpose . . . . . . . . . . . . . . . . . . . . . . . . . 16 71 12. Key Use . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 72 13. Transport Key . . . . . . . . . . . . . . . . . . . . . . . . 20 73 14. Key Distribution Period . . . . . . . . . . . . . . . . . . . 20 74 15. Key Validity Period . . . . . . . . . . . . . . . . . . . . . 22 75 16. Key Duration . . . . . . . . . . . . . . . . . . . . . . . . . 23 76 17. Classification . . . . . . . . . . . . . . . . . . . . . . . . 24 77 17.1. Security Label . . . . . . . . . . . . . . . . . . . . . . 25 78 18. Split Key Identifier . . . . . . . . . . . . . . . . . . . . . 28 79 19. Key Package Type . . . . . . . . . . . . . . . . . . . . . . . 29 80 20. Signature Usage . . . . . . . . . . . . . . . . . . . . . . . 30 81 21. Other Certificate Format . . . . . . . . . . . . . . . . . . . 32 82 22. PKI Path . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 83 23. Useful Certificates . . . . . . . . . . . . . . . . . . . . . 34 84 24. Key Wrap Algorithm . . . . . . . . . . . . . . . . . . . . . . 35 85 25. Content Decryption Key Identifier . . . . . . . . . . . . . . 36 86 25.1. Content Decryption Key Identifier: Symmetric Key and 87 Symmetric Key Package . . . . . . . . . . . . . . . . . . 36 88 25.2. Content Decryption Key Identifier: Unprotected . . . . . . 36 89 26. Certificate Pointers . . . . . . . . . . . . . . . . . . . . . 37 90 27. CRL Pointers . . . . . . . . . . . . . . . . . . . . . . . . . 38 91 28. Key Package Identifier and Receipt Request . . . . . . . . . . 38 92 29. Additional Error Codes . . . . . . . . . . . . . . . . . . . . 38 93 30. Processing Key Package Attribute Values and CMS Content 94 Constraints . . . . . . . . . . . . . . . . . . . . . . . . . 39 95 31. Attribute Scope . . . . . . . . . . . . . . . . . . . . . . . 40 96 32. Security Considerations . . . . . . . . . . . . . . . . . . . 46 97 33. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 47 98 34. References . . . . . . . . . . . . . . . . . . . . . . . . . . 47 99 34.1 Normative References . . . . . . . . . . . . . . . . . . . 47 101 ID NSA's CMS Key Management Attributes October 13, 2015 103 34.2 Informative References . . . . . . . . . . . . . . . . . . 49 104 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 50 105 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 66 107 1. Introduction 109 This document defines key management attributes used by the National 110 Security Agency (NSA). The attributes can appear in asymmetric 111 and/or symmetric key packages as well as the Cryptographic Message 112 Syntax (CMS) content types that subsequently envelope the key 113 packages. 115 This document contains definitions for new attributes as well as 116 previously defined attributes. References are provided to the 117 previously defined attributes however their definitions are included 118 herein for convenience. 120 CMS allows for arbitrary nesting of content types. Attributes are 121 also supported in various locations in content types and key 122 packages, which are themselves content types (see Section 1.1). An 123 implementation that supports all of the possibilities would be 124 extremely complex. Instead of implementing the full flexibility 125 supported by this document, some devices may choose to support one or 126 more templates, which is a profile for a combination of CMS content 127 type(s), key package, and attribute(s) (see Section 19). 129 1.1. Attribute Locations 131 There are a number of CMS content types that support attributes 132 SignedData [RFC5652], EnvelopedData [RFC5652], EncryptedData 133 [RFC5652], AuthenticatedData [RFC5652], and AuthEnvelopedData 134 [RFC5083] as well as ContentWithAttributes [RFC4073]. There are also 135 a number of other content types defined with CONTENT-TYPE [RFC6268] 136 that support attributes including AsymmetricKeyPackage [RFC5958] and 137 SymmetricKeyPackage [RFC6031]. 139 CMS defines a number of "protecting content types", SignedData 140 [RFC5652], EnvelopedData [RFC5652], EncryptedData [RFC5652], 141 AuthenticatedData [RFC5652], and AuthEnvelopedData [RFC5083], that 142 provide some type of security service. There are also other CMS 143 content types, Data [RFC5652], ContentWithAttributes [RFC4073], and 144 ContentCollection [RFC4073] that provide no security service. 146 There are also different kinds of attributes in these content types: 148 o SignedData supports two kinds of attributes: signed and unsigned 149 attributes in the signedAttrs and unsignedAttrs fields, 151 ID NSA's CMS Key Management Attributes October 13, 2015 153 respectively. 155 o EnvelopedData and EncryptedData each support one kind of 156 attribute: unprotected attributes in the unprotectedAttrs field. 158 o AuthEnvelopedData supports two kinds of attributes: authenticated 159 and unauthenticated attributes in the authAttrs and unauthAttrs 160 fields, respectively. Both of these attributes are also 161 unprotected (i.e., they are not encrypted); therefore, when 162 referring to AuthEnvelopedData attributes they are 163 authenticated/unprotected and unauthenticated/unprotected. For 164 this specification, unauthenticated attributes MUST be omitted. 166 o AuthenticatedData supports two kinds of attributes: 167 authenticated and unauthenticated attributes in the authAttrs and 168 unauthAttrs fields, respectively. For this specification, 169 unauthenticated attributes MUST be omitted. 171 o ContentWithAttributes supports one kind of attribute: content 172 attributes in the attrs field. 174 o AsymmetricKeyPackage supports one kind of attribute: asymmetric 175 key attributes in the attributes field. If an attribute appears 176 as part of an asymmetric key package, it SHOULD appear in the 177 attributes field of the AsymmetricKeyPackage. 179 o SymmetricKeyPackage supports two kinds of attributes: symmetric 180 key and symmetric key package attributes in the sKeyAttrs and 181 sKeyPkgAttrs fields, respectively. Note that [RFC6031] prohibits 182 the same attribute from appearing in both locations in the same 183 SymmetricKeyPackage. 185 Note that this specification updates the following information object 186 sets SignedAttributesSet, UnsignedAttributes, 187 UnprotectedEnvAttributes, UnprotectedEncAttributes, AuthAttributeSet, 188 UnauthAttributeSet, AuthEnvDataAttributeSet, 189 UnauthEnvDataAttributeSet, and ContentAttributeSet from [RFC6268] as 190 well as OneAsymmetricKeyAttributes from [RFC5958], SKeyPkgAttributes 191 from [RFC6031], SKeyAttributes from [RFC6031] to constrain the 192 permissible locations for attributes. See Appendix A for the ASN.1 193 for the information object sets. 195 1.2. ASN.1 Notation 197 The attributes defined in this document use 2002 ASN.1 198 [X.680][X.681][X.682][X.683]. The attributes MUST be DER [X.690] 199 encoded. 201 ID NSA's CMS Key Management Attributes October 13, 2015 203 Each of the attributes has a single attribute value instance in the 204 values set. Even though the syntax is defined as a set, there MUST 205 be exactly one instance of AttributeValue present. Further, the 206 SignedAttributes, UnsignedAttributes, UnprotectedAttributes, 207 AuthAttributes, and UnauthAttributes are also defined as a set, and 208 this set MUST include only one instance of any particular type of 209 attribute. That is, any object identifier appearing in AttributeType 210 MUST only appear one time in the set of attributes. 212 SignedData, EnvelopedData, EncryptedData, AuthenticatedData, 213 AuthEnvelopedData, and ContentWithAttributes were originally defined 214 using the 1988 version of ASN.1. These definitions were updated to 215 the 2008 version of ASN.1 by [RFC6268]. None of the new 2008 ASN.1 216 tokens are used, which allows 2002 compilers to compile 2008 ASN.1. 217 AsymmetricKeyPackage and SymmetricKeyPackage are defined using the 218 2002 ASN.1. 220 [RFC5652] and [RFC2634] define generally useful attributes for CMS 221 using the 1988 version of ASN.1. These definitions were updated to 222 the 2008 version of ASN.1 by [RFC6268] and the 2002 version of ASN.1 223 by [RFC5911], respectively. [RFC4108] and [RFC6019] also defined 224 attributes using the 1988 version of ASN.1, which this document uses. 225 Both were updated by [RFC5911] to the 2002 ASN.1. Refer to 226 [RFC2634], [RFC4108], [RFC5652], and [RFC6019] for the attribute's 227 semantics but refer to [RFC5911] or [RFC6268] for the attribute's 228 ASN.1 syntax. 230 1.3. Terminology 232 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 233 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 234 "OPTIONAL" in this document are to be interpreted as described in RFC 235 2119 [RFC2119]. 237 Attribute Scope: The scope of an attribute is the compilation of 238 keying material to which the attribute value is assigned. The scope 239 of each attribute is determined by its placement within the key 240 package or content collection. See Section 31. 242 SIR: Sender-Intermediary-Receiver is a model with three entities: 244 o A sender initiates the delivery of a key to one or more 245 receivers. It may wrap or encrypt the key for delivery. This is 246 expected to be the common case, since cleartext key is vulnerable 247 to exposure and compromise. If the sender is to encrypt the key 248 for delivery, it must know how to encrypt the key so that the 249 receiver(s) can decrypt it. A sender may also carry out any of 250 the functions of an intermediary. 252 ID NSA's CMS Key Management Attributes October 13, 2015 254 * The original key package creators are sometimes referred to as 255 key source authorities. These entities create the symmetric 256 and/or asymmetric key package and apply the initial CMS 257 protecting layer, which is normally a SignedData but sometimes 258 an AuthenticatedData. This initial CMS protecting layer is 259 maintained through any intermediary for the receivers of the 260 key package to ensure that receivers can validate the key 261 source authority. 263 o An intermediary does not have access to cleartext key. An 264 intermediary may perform source authentication on key packages, 265 and may append or remove management information related to the 266 package. It may encapsulate the encrypted key packages in larger 267 packages that contain other user data destined for later 268 intermediaries or receivers. 270 o A receiver has access to cleartext key. If the received key 271 package is encrypted, it can unwrap or decrypt the encrypted key 272 to obtain the cleartext key. A receiver may be the final 273 destination of the cryptographic product. An element that acts 274 as a receiver and is not the final destination of the key package 275 may also act as a sender or as an intermediary. After receiving 276 a key, a receiver may encrypt the received key for local storage. 278 NOTE: As noted in Section 1, a receiver can be tailored to support a 279 particular combination of CMS content type(s), key package, and 280 attribute(s) resulting in less complex implementations. All of these 281 tailored receivers can be specified in a common way, which also can 282 yield efficiencies in generation and provisioning. Senders and 283 intermediaries that have to understand multiple tailored receivers 284 get the efficiency of a common specification language and modular 285 implementation, as opposed to needing stove-piped processing for each 286 different receiver. 288 2. CMS-Defined Attributes 290 The following attributes are defined for [RFC5652]: 292 o content-type [RFC5652][RFC6268] uniquely specifies the CMS 293 content type. This attribute MUST be included as a signed, 294 authenticated, or authenticated/unprotected attribute. 296 o message-digest [RFC5652][RFC6268] is the message digest of the 297 encapsulated content calculated using the signer's message digest 298 algorithm. As specified in [RFC5652], it must be included as a 299 signed attribute and an authenticated attribute; as specified in 300 [RFC5652], it must not be an unsigned attribute, unauthenticated 301 attribute, or unprotected attribute; as specified in [RFC5083], 303 ID NSA's CMS Key Management Attributes October 13, 2015 305 it should not be included as an authenticated/unprotected 306 attribute in AuthEnvelopedData. This attribute MUST NOT be 307 included elsewhere. 309 o content-hints [RFC2634][RFC6268] identifies the innermost content 310 when multiple layers of encapsulation have been applied. Every 311 instance of SignedData, AuthenticatedData, and AuthEnvelopedData 312 that does not directly encapsulate a SymmetricKeyPackage, an 313 AsymmetricKeyPackage, or an EncryptedKeyPackage [RFC6032] MUST 314 include this attribute. 316 3. Community Identifiers 318 The community-identifiers attribute, defined in [RFC4108][RFC5911], 319 lists the communities that are authorized recipients of the signed 320 content. It can appear as a signed, authenticated, 321 authenticated/unprotected, or content attribute. This attribute MUST 322 be supported. 324 The 2002 ASN.1 syntax for the community-identifier attribute is 325 included for convenience: 327 aa-communityIdentifiers ATTRIBUTE ::= { 328 TYPE CommunityIdentifiers 329 IDENTIFIED BY id-aa-communityIdentifiers } 331 id-aa-communityIdentifiers OBJECT IDENTIFIER ::= { 332 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 333 smime(16) aa(2) 40 } 335 CommunityIdentifiers ::= SEQUENCE OF CommunityIdentifier 337 CommunityIdentifier ::= CHOICE { 338 communityOID OBJECT IDENTIFIER, 339 hwModuleList HardwareModules } 341 HardwareModules ::= SEQUENCE { 342 hwType OBJECT IDENTIFIER, 343 hwSerialEntries SEQUENCE OF HardwareSerialEntry } 345 HardwareSerialEntry ::= CHOICE { 346 all NULL, 347 single OCTET STRING, 348 block SEQUENCE { 349 low OCTET STRING, 350 high OCTET STRING } } 352 Consult [RFC4108] for the attribute's semantics. 354 ID NSA's CMS Key Management Attributes October 13, 2015 356 4. Key Province Attribute 358 The key-province-v2 attribute identifies the scope, range, or 359 jurisdiction in which the key is to be used. The key-province-v2 360 attribute MUST be present as a signed attribute or an authenticated 361 attribute in the innermost CMS protection content type that provides 362 authentication (i.e., SignedData, AuthEnvelopedData, or 363 AuthenticatedData) and encapsulates a symmetric key package or an 364 asymmetric key package. 366 The key-province attribute has the following syntax: 368 aa-keyProvince-v2 ATTRIBUTE ::= { 369 TYPE KeyProvinceV2 370 IDENTIFIED BY id-aa-KP-keyProvinceV2 } 372 id-aa-KP-keyProvinceV2 OBJECT IDENTIFIER ::= 373 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 374 dod(2) infosec(1) attributes(5) 71 } 376 KeyProvinceV2 ::= OBJECT IDENTIFIER 378 5. Binary Signing Time 380 The binary-signing-time attribute, defined in [RFC6019][RFC6268], 381 specifies the time at which the signature or the message 382 authentication code was applied to the encapsulated content. It can 383 appear as a signed, authenticated, or authenticated/unprotected 384 attribute. 386 The 2002 ASN.1 syntax is included for convenience: 388 aa-binarySigningTime ATTRIBUTE ::= { 389 TYPE BinarySigningTime 390 IDENTIFIED BY id-aa-binarySigningTime } 392 id-aa-binarySigningTime OBJECT IDENTIFIER ::= { 393 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 394 smime(16) aa(2) 46 } 396 BinarySigningTime ::= BinaryTime 398 BinaryTime ::= INTEGER (0..MAX) 400 Consult [RFC6019] for the binary-signing-time attribute's semantics. 402 6. Manifest 403 ID NSA's CMS Key Management Attributes October 13, 2015 405 The manifest attribute lists the short titles of all the Transmission 406 Security Nomenclature (TSEC-Nomenclature) attributes from inner key 407 packages. It MUST only appear as an outer-most signed, 408 authenticated, or authenticated/unprotected attribute. If a short 409 title is repeated in inner packages, it need only appear once in the 410 manifest attribute. The manifest attribute MUST NOT appear in the 411 same level as the TSEC-Nomenclature from the Section 10. 413 The manifest attribute has the following syntax: 415 aa-manifest ATTRIBUTE ::= { 416 TYPE Manifest 417 IDENTIFIED BY id-aa-KP-manifest } 419 id-aa-KP-manifest OBJECT IDENTIFIER ::= { 420 joint-iso-itu-t(2) country(16) us(840) organization(1) 421 gov(101) dod(2) infosec(1) attributes(5) 72 } 423 Manifest ::= SEQUENCE SIZE (1..MAX) OF ShortTitle 425 7. Key Algorithm 427 The key-algorithm attribute indirectly specifies the size and format 428 of the keying material in the skey field of a symmetric key package, 429 which is defined in [RFC6031]. It can appear as a symmetric key, 430 symmetric key package, signed, authenticated, 431 authenticated/unprotected, or content attribute. If this attribute 432 appears as a signed attribute, then all of the keying material within 433 the SignedData content MUST be associated with the same algorithm. 434 If this attribute appears as an authenticated or 435 authenticated/unprotected attribute, then all of the keying material 436 within the AuthenticatedData or AuthEnvelopedData content type MUST 437 be associated with the same algorithm. If this attribute appears as 438 a content attribute, then all of the keying material within the 439 collection MUST be associated with the same algorithm. If both the 440 key-algorithm and key-wrap-algorithm attributes apply from the 441 Section 24 to an sKey, then the key-algorithm attribute refers to the 442 decrypted value of sKey rather than to the content of sKey itself. 443 This attribute MUST be supported. 445 ID NSA's CMS Key Management Attributes October 13, 2015 447 The key-algorithm attribute has the following syntax: 449 aa-keyAlgorithm ATTRIBUTE ::= { 450 TYPE KeyAlgorithm 451 IDENTIFIED BY id-kma-keyAlgorithm } 453 id-kma-keyAlgorithm OBJECT IDENTIFIER ::= { 454 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 455 dod(2) infosec(1) keying-material-attributes(13) 1 } 457 KeyAlgorithm ::= SEQUENCE { 458 keyAlg OBJECT IDENTIFIER, 459 checkWordAlg [1] OBJECT IDENTIFIER OPTIONAL, 460 crcAlg [2] OBJECT IDENTIFIER OPTIONAL } 462 The fields in the key-algorithm attribute have the following 463 semantics: 465 o keyAlg specifies the size and format of the keying material. 467 o If the particular key format supports more than one check word 468 algorithm, then the OPTIONAL checkWordAlg identifier indicates 469 which check word algorithm was used to generate the check word 470 that is present. If the check word algorithm is implied by the 471 key algorithm, then the checkWordAlg field SHOULD be omitted. 473 o If the particular key format supports more than one Cyclic 474 Redundancy Check (CRC) algorithm, then the OPTIONAL crcAlg 475 identifier indicates which CRC algorithm was used to generate the 476 value that is present. If the CRC algorithm is implied by the 477 key algorithm, then the crcAlg field SHOULD be omitted. 479 The keyAlg identifier, the checkWordAlg identifier, and the crcAlg 480 identifier are object identifiers. The use of an object identifier 481 accommodates any algorithm from any registry. 483 The format of the keying material in the skey field of a symmetric 484 key package will not match this attribute if the keying material is 485 split (see section 18 for a discussion on the split-identifier 486 attribute). In this situation, this attribute identifies the format 487 of the keying material once the two splits are combined. 489 Due to multiple layers of encapsulation or the use of content 490 collections, the key-algorithm attribute can appear in more than one 491 location in the overall key package. When there are multiple 492 occurrences of the key-algorithm attribute within the same scope, the 493 keyAlg field MUST match in all instances. The OPTIONAL checkWordAlg 494 and crcAlg fields can be omitted in the key-algorithm attribute when 496 ID NSA's CMS Key Management Attributes October 13, 2015 498 it appears as a signed, authenticated, authenticated/unprotected, or 499 content attribute. However, if these optional fields are present, 500 they MUST also match the other occurrences within the same scope. 501 Receivers MUST reject any key package that fails these consistency 502 checks. 504 8. User Certificate 506 The user-certificate attribute specifies the type, format, and value 507 of an X.509 certificate and is used in asymmetric key package's 508 attributes field. This attribute can appear as an asymmetric key 509 attribute. This attribute MUST NOT appear in an asymmetric key 510 package attributes field that includes the other-certificate-formats 511 attribute. Symmetric key packages do not contain any certificates, 512 so the user-certificate attribute MUST NOT appear in a symmetric key 513 package. The user-certificate attribute MUST NOT appear as a signed, 514 authenticated, authenticated/unprotected, or content attribute. This 515 attribute MUST be supported. 517 The syntax is taken from [X.509] but redefined using the ATTRIBUTE 518 CLASS from [RFC5911]. The user-certificate attribute has the 519 following syntax: 521 aa-userCertificate ATTRIBUTE ::= { 522 TYPE Certificate 523 EQUALITY MATCING RULE certificateExactMatch 524 IDENTIFIED BY id-at-userCertificate } 526 id-at-userCertificate OBJECT IDENTIFIER ::= { 527 joint-iso-itu-t(2) ds(5) attributes(4) 36 } 529 Since the user-certificate attribute MUST NOT appear as a signed, 530 authenticated, authenticated/unprotected, or content attribute, an 531 asymmetric key package cannot include multiple occurrences of the 532 user-certificate attribute within the same scope. Receivers MUST 533 reject any asymmetric key package in which the user-certificate 534 attribute appears as a signed, authenticated, 535 authenticated/unprotected, or content attribute. 537 9. Key Package Receivers 539 The key-package-receivers-v2 attribute indicates the intended 540 audience for the key package. The key-package-receivers-v2 attribute 541 is not intended for access control decisions, rather intermediate 542 systems may use this attribute to make routing and relaying 543 decisions. The receiver SHOULD reject the key package if the key- 544 package-receivers-v2 attribute is present and they are not listed as 545 an intended receiver; if the receiver is not listed it will be unable 547 ID NSA's CMS Key Management Attributes October 13, 2015 549 to decrypt the package. The key-package-receivers-v2 attribute can 550 be used as a signed, authenticated, authenticated/unprotected, or 551 content attribute. If key-package-receivers-v2 attribute is 552 associated with a collection, then the named receivers MUST be able 553 to receive all of the key packages within the collection. This 554 attribute MUST be supported. 556 The key-package-receivers-v2 attribute has the following syntax: 558 aa-keyPackageReceivers-v2 ATTRIBUTE ::= { 559 TYPE KeyPkgReceiversV2 560 IDENTIFIED BY id-kma-keyPkgReceiversV2 } 562 id-kma-keyPkgReceiversV2 OBJECT IDENTIFIER ::= { 563 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 564 dod(2) infosec(1) keying-material-attributes(13) 16 } 566 KeyPkgReceiversV2 ::= SEQUENCE SIZE (1..MAX) OF KeyPkgReceiver 568 KeyPkgReceiver ::= CHOICE { 569 sirEntity [0] SIREntityName, 570 community [1] CommunityIdentifier } 572 The key-package-receivers-v2 attribute contains a list of receiver 573 identifiers. The receiver identifier is either a SIREntityName 574 [RFC7191] or a CommunityIdentifier (see Section 3). The 575 SIREntityName syntax does not impose any particular structure on the 576 receiver identifier, but it does require registration of receiver 577 identifier types. The nameType ensures that two receiver identifiers 578 of different types that contain the same values are not interpreted 579 as equivalent. Name types are expected to be defined that represent 580 several different granularities. For example, one name type will 581 represent the receiver organization. At a finer granularity, the 582 name type will identify a specific cryptographic device, perhaps 583 using a manufacturer identifier and serial number. 585 If a receiver does not recognize a particular nameType or a community 586 identifier, then keying material within the scope of the unrecognized 587 nameType or community identifier MUST NOT be used in any manner. 588 However, the receiver need not discard the associated key package. 589 Since many cryptographic devices are programmable, a different 590 firmware load may recognize the nameType. Likewise, a change in the 591 configuration may lead to the recognition of a previously 592 unrecognized community identifier. Therefore, the receiver may 593 retain the key package, but refuse to use it for anything with a 594 firmware load that does not recognize the nameType or a configuration 595 that does not recognize the community identifier. 597 ID NSA's CMS Key Management Attributes October 13, 2015 599 Whenever a key package is saved for later processing due to an 600 unrecognized nameType or community identifier, subsequent processing 601 MUST NOT rely on any checks that were made the first time the key 602 package processing was attempted. That is, the subsequent processing 603 MUST include the full complement of checks. Further, a receipt for 604 the packages MUST NOT be generated unless all of these checks are 605 successfully completed. 607 Due to multiple layers of encapsulation or the use of content 608 collections, the key-package-receivers-v2 attribute can appear in 609 more than one location in the overall key package. When there are 610 multiple occurrences of the key-package-receivers-v2 attribute, each 611 occurrence is evaluated independently. 613 In a content collection, each member of the collection might contain 614 its own signed, authenticated, authenticated/unprotected, or content 615 attribute that includes a key-package-receivers-v2 attribute. In 616 this situation, each member of the collection is evaluated 617 separately, and any member that includes an acceptable receiver 618 SHOULD be retained. Other members can be rejected or retained for 619 later processing with a different firmware load. 621 10. TSEC Nomenclature 623 The Telecommunications Security Nomenclature (TSEC-Nomenclature) 624 attribute provides the name for a piece of keying material, which 625 always includes a printable string called a "short title" (see 626 below). The TSEC-Nomenclature attribute also contains other 627 identifiers when the short title is insufficient to uniquely name a 628 particular piece of keying material. This attribute can appear as a 629 symmetric key, symmetric key package, asymmetric key, signed, 630 authenticated, authenticated/unprotected, or content attribute. If 631 this attribute appears in the sKeyAttrs field, the EditionID, 632 RegisterID, and SegmentID attribute fields MUST NOT be ranges. If 633 this attribute appears as a signed, authenticated, 634 authenticated/unprotected, or content attribute, all of the keying 635 material within the associated content MUST have the same short 636 title, and the attribute value MUST contain only a short title. That 637 is, when this attribute appears as a signed, authenticated, 638 authenticated/unprotected, or content attribute, all of the optional 639 fields MUST be absent. If this attribute is associated with a 640 collection, all of the keying material within the collection MUST 641 have the same short title; however, the edition, register, and 642 segment identifiers will be different for each key package in the 643 collection. This attribute MUST be supported. 645 The TSEC-Nomenclature attribute has the following syntax: 647 ID NSA's CMS Key Management Attributes October 13, 2015 649 aa-tsecNomenclature ATTRIBUTE ::= { 650 TYPE TSECNomenclature 651 IDENTIFIED BY id-kma-TSECNomenclature } 653 id-kma-TSECNomenclature OBJECT IDENTIFIER ::= { 654 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 655 dod(2) infosec(1) keying-material-attributes(13) 3 } 657 TSECNomenclature ::= SEQUENCE { 658 shortTitle ShortTitle, 659 editionID EditionID OPTIONAL, 660 registerID RegisterID OPTIONAL, 661 segmentID SegmentID OPTIONAL } 663 ShortTitle ::= PrintableString 665 EditionID ::= CHOICE { 666 char CHOICE { 667 charEdition [1] CharEdition, 668 charEditionRange [2] CharEditionRange } 669 num CHOICE { 670 numEdition [3] NumEdition, 671 numEditionRange [4] NumEditionRange } } 673 CharEdition ::= PrintableString 675 CharEditionRange ::= SEQUENCE { 676 firstCharEdition CharEdition, 677 lastCharEdition CharEdition } 679 NumEdition ::= INTEGER (0..308915776) 681 NumEditionRange ::= SEQUENCE { 682 firstNumEdition NumEdition, 683 lastNumEdition NumEdition } 685 RegisterID ::= CHOICE { 686 register [5] Register, 687 registerRange [6] RegisterRange } 689 Register ::= INTEGER (0..2147483647) 691 RegisterRange ::= SEQUENCE { 692 firstRegister Register, 693 lastRegister Register } 695 SegmentID ::= CHOICE { 696 segmentNumber [7] SegmentNumber, 698 ID NSA's CMS Key Management Attributes October 13, 2015 700 segmentRange [8] SegmentRange } 702 SegmentNumber ::= INTEGER (1..127) 704 SegmentRange ::= SEQUENCE { 705 firstSegment SegmentNumber, 706 lastSegment SegmentNumber } 708 The fields in the TSEC-Nomenclature attribute have the following 709 semantics: 711 o The short title consists of up to 32 alphanumeric characters. 712 Short title processing always uses the value in its entirety. 714 o The edition identifier is OPTIONAL, and the edition identifier is 715 used to distinguish accountable items. The edition identifier 716 consists either of six alphanumeric characters or an integer. 717 When present, the edition identifier is either a single value or 718 a range. The integer encoding should be used when it is 719 important to keep key package size to a minimum. 721 o The register identifier is OPTIONAL. For electronic keying 722 material, the register identifier is usually omitted. The 723 register identifier is an accounting number assigned to identify 724 COMSEC material. The register identifier is either a single 725 value or a range. 727 o The segment identifier is OPTIONAL, and it distinguishes the 728 individual symmetric keys delivered in one edition. A unique 729 segment number is assigned to each key in an edition. The 730 segment number is set to one for the first item in each edition, 731 and it is incremented by one for each additional item within that 732 edition. The segment identifier is either a single value or a 733 range. 735 The order that the keying material will appear in the key package is 736 illustrated by the following example: a cryptographic device may 737 require fresh keying material every day, an edition represents the 738 keying material for a single month, and the segments represent the 739 keying material for a day within that month. Consider a key package 740 that contains the keying material for July and August; it will 741 contain keying material for 62 days. The keying material will appear 742 in the following order: Edition 1, Segment 1; Edition 1, Segment 2; 743 Edition 1, Segment 3; ...; Edition 1, Segment 31; Edition 2, Segment 744 1; Edition 2, Segment 2; Edition 2, Segment 3; ...; Edition 2, 745 Segment 31. 747 Due to multiple layers of encapsulation or the use of content 749 ID NSA's CMS Key Management Attributes October 13, 2015 751 collections, the TSEC-Nomenclature attribute can appear in more than 752 one location in the overall key package. When there are multiple 753 occurrences of the TSEC-Nomenclature attribute within the same scope, 754 the shortTitle field MUST match in all instances. Receivers MUST 755 reject any key package that fails these consistency checks. 757 When the manifest attribute from Section 6 is included in an outer 758 layer, the shortTitle field values present in TSEC-Nomenclature 759 attributes MUST be one of the values in the manifest attribute. 760 Receivers MUST reject any key package that fails this consistency 761 checks. 763 11. Key Purpose 765 The key-purpose attribute specifies the intended purpose of the key 766 material. It can appear as a symmetric key, symmetric key package, 767 asymmetric key, signed, authenticated, authenticated/unprotected, or 768 content attribute. If the key-purpose attribute appears as a signed, 769 authenticated, authenticated/unprotected, or content attribute, then 770 all of the keying material within the associated content MUST have 771 the same key purpose value. 773 The key-purpose attribute has the following syntax: 775 aa-keyPurpose ATTRIBUTE ::= { 776 TYPE KeyPurpose 777 IDENTIFIED BY id-kma-keyPurpose } 779 id-kma-keyPurpose OBJECT IDENTIFIER ::= { 780 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 781 dod(2) infosec(1) keying-material-attributes(13) 13 } 783 KeyPurpose ::= ENUMERATED { 784 n-a (0), -- Not Applicable 785 a (65), -- Operational 786 b (66), -- Compatible Multiple Key 787 l (76), -- Logistics Combinations 788 m (77), -- Maintenance 789 r (82), -- Reference 790 s (83), -- Sample 791 t (84), -- Training 792 v (86), -- Developmental 793 x (88), -- Exercise 794 z (90), -- "On the Air" Testing 795 ... -- Expect additional key purpose values -- } 797 Due to multiple layers of encapsulation or the use of content 798 collections, the key-purpose attribute can appear in more than one 800 ID NSA's CMS Key Management Attributes October 13, 2015 802 location in the overall key package. When there are multiple 803 occurrences of the key-purpose attribute within the same scope, all 804 fields within the attribute MUST contain exactly the same values. 805 Receivers MUST reject any key package that fails these consistency 806 checks. 808 12. Key Use 810 The key-use attribute specifies the intended use of the key material. 811 It can appear as a symmetric key, symmetric key package, asymmetric, 812 signed, authenticated, authenticated/unprotected, or content 813 attribute. If the key-use attribute appears as a signed, 814 authenticated, authenticated/unprotected, or content attribute, then 815 all of the keying material within the associated content MUST have 816 the same key use value. 818 The key-use attribute has the following syntax: 820 aa-key-Use ATTRIBUTE ::= { 821 TYPE KeyUse 822 IDENTIFIED BY id-kma-keyUse } 824 id-kma-keyUse OBJECT IDENTIFIER ::= { 825 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 826 dod(2) infosec(1) keying-material-attributes(13) 14 } 828 KeyUse ::= ENUMERATED { 829 n-a (0), -- Not applicable 830 ffk (1), -- FIREFLY/CROSSTALK Key (Basic Format) 831 kek (2), -- Key Encryption Key 832 kpk (3), -- Key Production Key 833 msk (4), -- Message Signature Key 834 qkek (5), -- QUADRANT Key Encryption Key 835 tek (6), -- Traffic Encryption Key 836 tsk (7), -- Transmission Security Key 837 trkek (8), -- Transfer Key Encryption Key 838 nfk (9), -- Netted FIREFLY Key 839 effk (10), -- FIREFLY Key (Enhanced Format) 840 ebfk (11), -- FIREFLY Key (Enhanceable Basic Format) 841 aek (12), -- Algorithm Encryption Key 842 wod (13), -- Word of Day 843 kesk (246), -- Key Establishment Key 844 eik (247), -- Entity Identification Key 845 ask (248), -- Authority Signature Key 846 kmk (249), -- Key Modifier Key 847 rsk (250), -- Revocation Signature Key 848 csk (251), -- Certificate Signature Key 849 sak (252), -- Symmetric Authentication Key 851 ID NSA's CMS Key Management Attributes October 13, 2015 853 rgk (253), -- Random Generation Key 854 cek (254), -- Certificate Encryption Key 855 exk (255), -- Exclusion Key 856 ... -- Expect additional key use values -- } 858 The values for the key-use attribute has the following semantics: 860 o ffk: A FIREFLY/CROSSTALK key is used to establish a Key 861 Establishment Key (KEK) or a Transmission Encryption Key (TEK) 862 between two parties. The KEK or TEK generated from the exchange 863 is used with a symmetric encryption algorithm. This key use 864 value is associated with keys in the basic format. 866 o kek: A Key Encryption Key is used to encrypt or decrypt other 867 keys for transmission or storage. 869 o kpk: A Key Production Key is used to initialize a keystream 870 generator for the production of other electronically generated 871 keys. 873 o msk: A Message Signature Key is used in a digital signature 874 process that operates on a message to assure message source 875 authentication, message integrity, and non-repudiation. 877 o qkek: QUADRANT Key Encryption Key is one part of a tamper 878 resistance solution. 880 o tek: A Traffic Encryption Key is used to encrypt plaintext or to 881 superencrypt previously encrypted data and/or to decrypt 882 ciphertext. 884 o tsk: A Transmission Security Key is used to protect transmissions 885 from interception and exploitation by means other than 886 cryptanalysis. 888 o trkek: Transfer Key Encryption Key. For example, the keys used 889 by the KP and DTD. 891 o nfk: A Netted FIREFLY Key is a FIREFLY key that has an edition 892 number associated with it. When rekeyed, it is incremented, 893 preventing communications with FIREFLY key of previous editions. 894 This edition number is maintained within a universal edition. 896 o effk: Enhanced FIREFLY Key is used to establish a KEK or a TEK 897 between two parties. The KEK or TEK generated from an exchange 898 is used with a symmetric encryption algorithm. This key use 899 value is associated with keys in the enhanced format. 901 ID NSA's CMS Key Management Attributes October 13, 2015 903 o ebfk: Enhanceable Basic FIREFLY Key is used to establish a KEK or 904 a TEK between two parties. The KEK or TEK generated from an 905 exchange is used with a symmetric encryption algorithm. This key 906 use value is associated with keys in the enhanceable basic 907 format. 909 o aek: An Algorithm Encryption Key is used to encrypt or decrypt an 910 algorithm implementation as well as other functionality in the 911 implementation. 913 o wod: A key used to generate the Word of the Day (WOD). 915 o kek: A Key Establishment Key is an asymmetric key set (e.g. 916 public/private/parameters) used to enable the establishment of 917 symmetric key(s) between entities. 919 o eik: An Entity Identification Key is an asymmetric key set (e.g. 920 public/private/parameters) used to identify one entity to another 921 for access control and other similar purposes. 923 o ask: An Authority Signature Key is an asymmetric key set (e.g. 924 public/private/parameters) used by designated authorities to sign 925 objects such as TAMP messages and firmware packages. 927 o kmk: A Key Modifier Key is a symmetric key used to modify the 928 results of the process that forms a symmetric key from a public 929 key exchange process. 931 o rsk: A Revocation Signature Key is an asymmetric key set (e.g. 932 public/private/parameters) used to sign and authenticate 933 revocation lists and compromised key lists. 935 o csk: A Certificate Signature Key is an asymmetric key set (e.g. 936 public/private/parameters) used to sign and authenticate public- 937 key certificates. 939 o sak: A Symmetric Authentication Key is used in a Message 940 Authentication Code (MAC) algorithm to provide message integrity. 941 Differs from a Message Signature Key in that it is symmetric key 942 material and it does not provide source authentication or non- 943 repudiation. 945 o rgk: Random Generation Key is a key used to seed a deterministic 946 pseudo-random number generator. 948 o cek: A Certificate Encryption Key is used to encrypt public-key 949 certificates to support privacy. 951 ID NSA's CMS Key Management Attributes October 13, 2015 953 o exk: An Exclusion Key is a symmetric key used to 954 cryptographically subdivide a single large security domain into 955 smaller segregated domains. 957 Due to multiple layers of encapsulation or the use of content 958 collections, the key-use attribute can appear in more than one 959 location in the overall key package. When there are multiple 960 occurrences of the key-use attribute within the same scope, all 961 fields within the attribute MUST contain exactly the same values. 962 Receivers MUST reject any key package that fails these consistency 963 checks. 965 13. Transport Key 967 The transport-key attribute identifies whether an asymmetric key is a 968 transport key or an operational key (i.e., the key can either be used 969 as is or not). It can appear as an asymmetric key, signed, 970 authenticated, authenticated/unprotected, or content attribute. If 971 the transport-key attribute appears as a signed, authenticated, 972 authenticated/unprotected, or content attribute, then all of the 973 keying material within the associated content MUST have the same 974 operational/transport key material. 976 aa-transportKey ATTRIBUTE ::= { 977 TYPE TransOp 978 IDENTIFIED BY id-kma-transportKey } 980 id-kma-transportKey OBJECT IDENTIFIER ::= { 981 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 982 dod(2) infosec(1) keying-material-attributes(13) 15 } 984 TransOp ::= ENUMERATED { 985 transport (1), 986 operational (2) } 988 Due to multiple layers of encapsulation or the use of content 989 collections, the transport-key attribute can appear in more than one 990 location in the overall key package. When there are multiple 991 occurrences of the transport-key attribute within the same scope, all 992 fields within the attribute MUST contain exactly the same values. 993 Receivers MUST reject any key package that fails these consistency 994 checks. 996 14. Key Distribution Period 998 The key-distribution-period attribute indicates the period of time 999 that the keying material is intended for distribution. Keying 1000 material is often distributed before it is intended to be used. Time 1002 ID NSA's CMS Key Management Attributes October 13, 2015 1004 of day must be represented in Coordinated Universal Time (UTC). It 1005 can appear as a symmetric key, symmetric key package, asymmetric key, 1006 signed, authenticated, authenticated/unprotected, or content 1007 attribute. If the key-distribution-period attribute appears as a 1008 signed, authenticated, authenticated/unprotected, or content 1009 attribute, then all of the keying material within the content MUST 1010 have the same key distribution period. 1012 The key-distribution-period attribute has the following syntax: 1014 aa-keyDistributionPeriod ATTRIBUTE ::= { 1015 TYPE KeyDistPeriod 1016 IDENTIFIED BY id-kma-keyDistPeriod } 1018 id-kma-keyDistPeriod OBJECT IDENTIFIER ::= { 1019 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1020 dod(2) infosec(1) keying-material-attributes(13) 5 } 1022 KeyDistPeriod ::= SEQUENCE { 1023 doNotDistBefore [0] BinaryTime OPTIONAL, 1024 doNotDistAfter BinaryTime } 1026 BinaryTime ::= INTEGER 1028 The fields in the key-distribution-period attribute have the 1029 following semantics: 1031 o The doNotDistBefore field is OPTIONAL, and when it is present, 1032 the keying material SHOULD NOT be distributed before the date and 1033 time provided. 1035 o The doNotDistAfter field is REQUIRED, and the keying material 1036 SHOULD NOT be distributed after the date and time provided. 1038 When the key-distribution-period attribute is associated with a 1039 collection of keying material, the distribution period applies to all 1040 of the keys in the collection. None of the keying material in the 1041 collection SHOULD be distributed outside the indicated period. 1043 Due to multiple layers of encapsulation or the use of content 1044 collections, the key-distribution-period attribute can appear in more 1045 than one location in the overall key package. When there are 1046 multiple occurrences of the key-distribution-period attribute within 1047 the same scope, all of the included attribute fields MUST contain 1048 exactly the same value. However, if the doNotDistBefore field is 1049 absent in an inner layer, a value MAY appear in an outer layer 1050 because the outer layer constrains the inner layer. Receivers MUST 1051 reject any key package that fails these consistency checks. 1053 ID NSA's CMS Key Management Attributes October 13, 2015 1055 15. Key Validity Period 1057 The key-validity-period attribute indicates the period of time that 1058 the keying material is intended for use. Time of day MUST be 1059 represented in Coordinated Universal Time (UTC). It can appear as a 1060 symmetric key, symmetric key package, asymmetric key, signed, 1061 authenticated, authenticated/unprotected, or content attribute. If 1062 the key-validity-period attribute appears as a signed, authenticated, 1063 authenticated/unprotected, or content attribute, then all of the 1064 keying material within the content MUST have the same key validity 1065 period. 1067 The key-validity-period attribute has the following syntax: 1069 aa-keyValidityPeriod ATTRIBUTE ::= { 1070 TYPE KeyValidityPeriod 1071 IDENTIFIED BY id-kma-keyValidityPeriod } 1073 id-kma-keyValidityPeriod OBJECT IDENTIFIER ::= { 1074 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1075 dod(2) infosec(1) keying-material-attributes(13) 6 } 1077 KeyValidityPeriod ::= SEQUENCE { 1078 doNotUseBefore BinaryTime, 1079 doNotUseAfter BinaryTime OPTIONAL } 1081 BinaryTime ::= INTEGER 1083 The fields in the key-validity-period attribute have the following 1084 semantics: 1086 o The doNotUseBefore field is required, and the keying material 1087 should not be used before the date and time provided. 1089 o The doNotUseAfter field is optional, and when it is present, the 1090 keying material should not be used after the date and time 1091 provided. 1093 For a key package that is being used for rekey, the doNotUseAfter 1094 field MAY be required even though the syntax is OPTIONAL. 1096 When the key-validity-period attribute is associated with a 1097 collection of keying material, the validity period applies to all of 1098 the keys in the collection. None of the keying material in the 1099 collection SHOULD be used outside the indicated period. 1101 The key-validity-period attribute described in this section and the 1102 key-duration attribute described in the next section provide a 1104 ID NSA's CMS Key Management Attributes October 13, 2015 1106 complementary function. The key-validity-period attribute provides 1107 explicit date and time values, which indicate the beginning and 1108 ending of the keying material usage period. The key-duration 1109 attribute provides the maximum length of time that the keying 1110 material SHOULD be used. If both attributes are provided, this 1111 duration MAY occur at any time within the specified period, but the 1112 limits imposed by both attributes SHOULD be honored. 1114 Due to multiple layers of encapsulation or the use of content 1115 collections, the key-validity-period attribute can appear in more 1116 than one location in the overall key package. When there are 1117 multiple occurrences of the key-validity-period attribute within the 1118 same scope, all of the included attribute fields MUST contain exactly 1119 the same value. However, if the doNotUseAfter field is absent in an 1120 inner layer, a value MAY appear in an outer layer. Receivers MUST 1121 reject any key package that fails these consistency checks. 1123 16. Key Duration 1125 The key-duration attribute indicates the maximum period of time that 1126 the keying material is intended for use. The date and time that the 1127 duration begins is not specified, but the maximum amount of time that 1128 the keying material can be used to provide security services is 1129 specified. It can appear as a symmetric key, symmetric key package, 1130 asymmetric key, signed, authenticated, authenticated/unprotected, or 1131 content attribute. If the key-duration attribute appears as a 1132 signed, authenticated, authenticated/unprotected, or content 1133 attribute, then all of the keying material within the content MUST 1134 have the same key duration. 1136 The key-duration attribute has the following syntax: 1138 aa-keyDurationPeriod ATTRIBUTE ::= { 1139 TYPE KeyDuration 1140 IDENTIFIED BY id-kma-keyDuration } 1142 id-kma-keyDuration OBJECT IDENTIFIER ::= { 1143 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1144 dod(2) infosec(1) keying-material-attributes(13) 7 } 1146 KeyDuration ::= CHOICE { 1147 hours [0] INTEGER (1..ub-KeyDuration-hours), 1148 days INTEGER (1..ub-KeyDuration-days), 1149 weeks [1] INTEGER (1..ub-KeyDuration-weeks), 1150 months [2] INTEGER (1..ub-KeyDuration-months), 1151 years [3] INTEGER (1..ub-KeyDuration-years) } 1153 ub-KeyDuration-hours INTEGER ::= 96 1155 ID NSA's CMS Key Management Attributes October 13, 2015 1157 ub-KeyDuration-days INTEGER ::= 732 1158 ub-KeyDuration-weeks INTEGER ::= 104 1159 ub-KeyDuration-months INTEGER ::= 72 1160 ub-KeyDuration-years INTEGER ::= 100 1162 The key-validity-period attribute described in the previous section 1163 and the key-duration attribute described in this section provide a 1164 complementary function. The relationship between these attributes is 1165 described in the previous section. 1167 Due to multiple layers of encapsulation or the use of content 1168 collections, the key-duration attribute can appear in more than one 1169 location in the overall key package. When there are multiple 1170 occurrences of the key-duration attribute within the same scope, all 1171 of the included attribute fields MUST contain exactly the same value. 1172 Receivers MUST reject any key package that fails these consistency 1173 checks. 1175 17. Classification 1177 The classification attribute indicates level of classification. The 1178 classification attribute specifies the aggregate classification of 1179 the package content. It can appear as a symmetric key, symmetric key 1180 package, asymmetric key, signed, authenticated, 1181 authenticated/unprotected, or content attribute. If the 1182 classification attribute appears as a signed, authenticated, 1183 authenticated/unprotected, or content attribute, then the value MUST 1184 represent the classification of all of the keying material within the 1185 content. Encrypted layers MAY contain content at a higher 1186 classification that will be revealed once they are decrypted. If the 1187 classification attribute is associated with a collection, then the 1188 sensitivity of all the data within the collection MUST be dominated 1189 by the classification carried in this attribute. 1191 The classification attribute makes use of the ESSSecurityLabel 1192 defined in Section 17.1 and from [RFC2634][RFC5911]. The term 1193 "classification" is used in this document, but the term "security 1194 label" is used in [RFC2634]. The two terms have the same meaning. 1196 [RFC2634][RFC5911] specifies an object identifier and syntax for the 1197 security label attribute. The same values are used for the 1198 classification attribute: 1200 aa-classificationAttribute ATTRIBUTE ::= { 1201 TYPE Classification 1202 IDENTIFIED BY id-aa-KP-classification } 1204 id-aa-KP-classification OBJECT IDENTIFIER ::= id-aa-securityLabel 1206 ID NSA's CMS Key Management Attributes October 13, 2015 1208 -- id-aa-securityLabel OBJECT IDENTIFIER ::= { 1209 -- iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1210 -- pkcs-9(9) smime(16) id-aa(2) 2 } 1212 Classification ::= ESSSecurityLabel 1214 The syntax of ESSSecurityLabel is not repeated here; however, see 1215 section 17.1 for security label conventions that MUST be followed by 1216 implementations of this specification. See [RFC2634] for a complete 1217 discussion of the semantics and syntax. 1219 When the classification attribute appears in more than one location 1220 in the overall key package, each occurrence is evaluated 1221 independently. The content originator MUST ensure that the 1222 classification attribute represents the sensitivity of the plaintext 1223 within the content. That is, the classification MUST dominate any 1224 other plaintext classification attribute value that is present 1225 elsewhere in the overall key package. Note that the classification 1226 attribute value may exceed these other plaintext classification 1227 attribute values if the other attribute values within the SignerInfo, 1228 AuthEnvelopedData, or AuthenticatedData are themselves classified and 1229 warrant the higher security label value. 1231 When the classification attribute appears in more than one location 1232 in the overall key package, each security label might be associated 1233 with a different security policy. Content originators SHOULD avoid 1234 mixing multiple security policies in the same key package whenever 1235 possible since this requires that receivers and intermediaries that 1236 check the classification attribute values to include support for the 1237 union of the security policies that are present. Failure to 1238 recognize an included security policy MUST result in rejection of the 1239 key package. 1241 Receivers MUST reject any key package that includes a classification 1242 for which the receiver's processing environment is not authorized. 1244 17.1. Security Label 1246 The ESSSecurityLabel ASN.1 type is used to represent the 1247 classification. The ESSSecurityLabel is defined in Section 3.2 of 1248 [RFC2634]. 1250 The classification attribute values and classification attribute 1251 values have ASN.1 type ESSSecurityLabel, which is defined in 1252 [RFC2634]. Part of the syntax definition is repeated here to 1253 facilitate discussion: 1255 ESSSecurityLabel ::= SET { 1257 ID NSA's CMS Key Management Attributes October 13, 2015 1259 security-policy-identifier SecurityPolicyIdentifier, 1260 security-classification SecurityClassification OPTIONAL, 1261 privacy-mark ESSPrivacyMark OPTIONAL, 1262 security-categories SecurityCategories OPTIONAL } 1264 A security policy is a set of criteria for the provision of security 1265 services. The security-policy-identifier, which is an object 1266 identifier, is used to identify the security policy associated with 1267 the security label. It indicates the semantics of the other security 1268 label components. 1270 If the key package receiver does not recognize the object identifier 1271 in the security-policy-identifier field and the security label 1272 includes a security-categories field, then the key package contents 1273 MUST NOT be accepted and the enclosed keying material MUST NOT be 1274 used. If the key package receiver does not recognize the object 1275 identifier in the security-policy-identifier field and the security 1276 label does not include a security-categories field, then the key 1277 package contents MAY be accepted only if the security-classification 1278 field is present and it contains a value from the basic hierarchy as 1279 described below. 1281 This specification defines the use of the SecurityClassification 1282 field exactly as is it specified in the 1988 edition of ITU-T 1283 Recommendation X.411 [X.411], which states in part: 1285 "If present, a security-classification may have one of a 1286 hierarchical list of values. The basic security-classification 1287 hierarchy is defined in this Recommendation, but the use of these 1288 values is defined by the security-policy in force. Additional 1289 values of security-classification, and their position in the 1290 hierarchy, may also be defined by a security-policy as a local 1291 matter or by bilateral agreement. The basic security- 1292 classification hierarchy is, in ascending order: unmarked, 1293 unclassified, restricted, confidential, secret, top-secret." 1295 Implementations MUST support the basic security classification 1296 hierarchy. Such implementations MAY also support other security- 1297 classification values; however, the placement of additional values in 1298 the hierarchy MUST be specified by the security policy. 1300 Implementations MUST NOT make access control decisions based on the 1301 privacy-mark. However, information in the privacy-mark can be 1302 displayed to human users by devices that have displays to do so. The 1303 privacy-mark length MUST NOT exceed 128 characters. The privacy-mark 1304 SHALL use the PrintableString choice if all of the characters in the 1305 privacy mark are members of the printable string character set. 1307 ID NSA's CMS Key Management Attributes October 13, 2015 1309 If present, security-categories provide further granularity for the 1310 keying material. The security policy in force indicates the 1311 permitted syntaxes of any entries in the set of security categories. 1312 At most, 64 security categories may be present. The security- 1313 categories have ASN.1 type SecurityCategories and further 1314 SecurityCategory [RFC5912], which are both repeated here to 1315 facilitate discussion: 1317 SecurityCategories ::= SET SIZE (1..ub-security-categories) OF 1318 SecurityCategory 1319 {{SupportedSecurityCategories}} 1321 SecurityCategory {SECURITY-CATEGORY:Supported} ::= SEQUENCE { 1322 type [0] IMPLICIT SECURITY-CATEGORY. 1323 &id({Supported}), 1324 value [1] EXPLICIT SECURITY-CATEGORY. 1325 &Type({Supported}{@type}) 1326 } 1328 Four security categories are defined and are referred to as the 1329 Restrictive Tag, the Enumerated Tag, the Permissive Tag, and the 1330 Informative Tag. Only the Enumerated Tag and Informative Tag are 1331 permitted in the classification attribute. 1333 The Enumerated Tag is composed of one or more non-negative integers. 1334 Each non-negative integer represents a non-hierarchical security 1335 attribute that applies to the labeled content. Use of the integer 1336 representation is intended to minimize the size of the label since a 1337 particular key package generally contains only a few security 1338 categories attributes, even though a security policy might define a 1339 large set of security categories attributes. Security attributes 1340 enumerated by tags of this type could be restrictive (such as 1341 compartments) or permissive (such as release permissions). Two 1342 object identifiers for the SecurityCategory type field have been 1343 defined, one restrictive and one for permissive. The object 1344 identifiers are: 1346 id-enumeratedRestrictiveAttributes OBJECT IDENTIFIER ::= { 1347 2 16 840 1 101 2 1 8 3 4 } 1349 id-enumeratedPermissiveAttributes OBJECT IDENTIFIER ::= { 1350 2 16 840 1 101 2 1 8 3 1 } 1352 With both the restrictive and permissive security category types, the 1353 corresponding SecurityCategory value has the following ASN.1 1354 definition: 1356 EnumeratedTag ::= SEQUENCE { 1358 ID NSA's CMS Key Management Attributes October 13, 2015 1360 tagName OBJECT IDENTIFIER, 1361 attributeList SET OF SecurityAttribute } 1363 SecurityAttribute ::= INTEGER (0..MAX) 1365 Any security policy that makes use of security categories MUST assign 1366 object identifiers for each tagName, assign the set of integer values 1367 associated with each tagName, and specify the semantic meaning for 1368 each integer value. Restrictive security attributes and permissive 1369 security attributes SHOULD be associated with different tagName 1370 object identifiers. 1372 The Informative Tag is composed of either one or more non-negative 1373 integers or a bit string. Only the integer choice is allowed in this 1374 specification. Each non-negative integer represents a non- 1375 hierarchical security attribute that applies to the labeled content. 1376 Use of the integer representation is intended to minimize the size of 1377 the label since a particular key package generally contains only a 1378 few security categories attributes, even though a security policy 1379 might define a large set of security categories attributes. Security 1380 attributes enumerated by tags of this type are informative (i.e., no 1381 access control is performed). One object identifier for the 1382 SecurityCategory type field has been defined and it is as follows: 1384 id-informativeAttributes OBJECT IDENTIFIER ::= { 1385 2 16 840 1 101 2 1 8 3 3 } 1387 The corresponding SecurityCategory value has the following ASN.1 1388 definition: 1390 InformativeTag ::= SEQUENCE { 1391 tagName OBJECT IDENTIFIER, 1392 attributes FreeFormField } 1394 FreeFormField ::= CHOICE { 1395 bitSetAttributes BIT STRING, 1396 securityAttributes SET OF SecurityAttribute } 1398 Any security policy that makes use of security categories MUST assign 1399 object identifiers for each tagName, assign the set of integer values 1400 associated with each tagName, and specify the semantic meaning for 1401 each integer value. 1403 18. Split Key Identifier 1405 The key package originator may include a split-identifier attribute 1406 to designate that the keying material contains a split rather than a 1407 complete key. It may appear as a symmetric and asymmetric key 1409 ID NSA's CMS Key Management Attributes October 13, 2015 1411 attribute. The split-identifier attribute MUST NOT appear as a 1412 symmetric key package, signed, authenticated, 1413 authenticated/unprotected, or content attribute. Split keys have two 1414 halves, which are called "A" and "B." The split-identifier attribute 1415 indicates which half is included in the key package, and it 1416 optionally indicates the algorithm that is needed to combine the two 1417 halves. The combine algorithm is OPTIONAL since each key algorithm 1418 has a default mechanism for this purpose, and the combine algorithm 1419 is present only if the default mechanism is not employed. 1421 The key-split-identifier attribute has the following syntax: 1423 aa-splitIdentifier ATTRIBUTE ::= { 1424 TYPE SplitID 1425 IDENTIFIED BY id-kma-splitID } 1427 id-kma-splitID OBJECT IDENTIFIER ::= { 1428 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1429 dod(2) infosec(1) keying-material-attributes(13) 11 } 1431 SplitID ::= SEQUENCE { 1432 ENUMERATED { a(0), b(1) }, 1433 combineAlg AlgorithmIdentifier 1434 {COMBINE-ALGORITHM, {CombineAlgorithms}} OPTIONAL } 1436 In most cases the default combine algorithm will be employed, which 1437 makes this attribute a simple constant that identifies either the "A" 1438 or "B" half of the split key, which supports implementation of some 1439 key distribution policies. 1441 Note that each split might have its own CRC, but the key and the 1442 check word are both recovered when the two splits are combined. 1444 Since the split-identifier attribute MUST NOT appear as a signed, 1445 authenticated, authenticated/unprotected, or content attribute, a key 1446 package cannot include multiple occurrences of the split-identifier 1447 attribute within the same scope. Receivers MUST reject any key 1448 package in which the split-identifier attribute appears as a signed, 1449 authenticated, authenticated/unprotected, or content attribute. 1451 19. Key Package Type 1453 The key-package-type attribute is a shorthand method for specifying 1454 all aspects of the key package format, including which attributes are 1455 present and the structure of the encapsulated content. The key- 1456 package-type attribute can be used as a signed, authenticated, 1457 authenticated/unprotected, or content attribute. If a key-package- 1458 type attribute appears in a content attribute associated with a 1460 ID NSA's CMS Key Management Attributes October 13, 2015 1462 collection, it is a shorthand method for specifying all aspects of 1463 the key packages that comprise the collection. 1465 Rather than implementing the full flexibility of this specification, 1466 some devices may implement support for one or more specific key 1467 package formats instantiating this specification. Those specific 1468 formats are called templates and can be identified using a key- 1469 package-type attribute. 1471 The key-package-type attribute has the following syntax: 1473 aa-keyPackageType ATTRIBUTE ::= { 1474 TYPE KeyPkgType 1475 IDENTIFIED BY id-kma-keyPkgType } 1477 id-kma-keyPkgType OBJECT IDENTIFIER ::= { 1478 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1479 dod(2) infosec(1) keying-material-attributes(13) 12 } 1481 KeyPkgType ::= OBJECT IDENTIFIER 1483 Due to multiple layers of encapsulation or the use of content 1484 collections, the key-package-type attribute can appear in more than 1485 one location in the overall key package. When there are multiple 1486 occurrences of the key-package-type attribute, each occurrence is 1487 used independently. Since the receiver is likely to use the key- 1488 package-type attribute value as a decoding aid, any error will most 1489 likely lead to parsing problems, and these problems could result in 1490 many different errors being reported. 1492 20. Signature Usage 1494 The signature-usage attribute identifies the CMS content types that 1495 this key can be used to sign, or be in the cert path for validation. 1496 Symmetric key packages do not contain signature generation or 1497 signature validation keying material, so the signature-usage 1498 attribute MUST NOT appear in a symmetric key package. For an 1499 asymmetric key package, the signature-usage attribute indicates the 1500 kind of objects that are to be signed with the private key in the 1501 package. However, if the asymmetric key package contains a 1502 Certificate Signature Key, then the signature-usage attribute also 1503 indicates what signed objects can be validated using certificates 1504 that are signed by the private key in the asymmetric key package. 1505 Therefore, the signature-usage attribute also indicates what kind of 1506 objects that can be signed by the private keys associated with these 1507 certificates. The signature-usage attribute MUST NOT appear as a 1508 signed, authenticated, authenticated/unprotected, or content 1509 attribute. 1511 ID NSA's CMS Key Management Attributes October 13, 2015 1513 The signature-usage attribute has the following syntax: 1515 aa-signatureUsage-v3 ATTRIBUTE ::= { 1516 TYPE SignatureUsage 1517 IDENTIFIED BY id-kma-sigUsageV3 } 1519 id-kma-sigUsageV3 OBJECT IDENTIFIER ::= { 1520 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1521 dod(2) infosec(1) keying-material-attributes(13) 22 } 1523 SignatureUsage ::= CMSContentConstraints 1525 The SignatureUsage structure has the same syntax as the 1526 CMSContentConstraints structure from [RFC6010], and it is repeated 1527 here for convenience. 1529 CMSContentConstraints ::= SEQUENCE SIZE (1..MAX) OF 1530 ContentTypeConstraint 1532 ContentTypeGeneration ::= ENUMERATED { 1533 canSource(0), 1534 cannotSource(1)} 1536 ContentTypeConstraint ::= SEQUENCE { 1537 contentType CONTENT-TYPE.&id ({ContentSet|ct-Any,...}), 1538 canSource ContentTypeGeneration DEFAULT canSource, 1539 attrConstraints AttrConstraintList OPTIONAL } 1541 Constraint { ATTRIBUTE:ConstraintList } ::= SEQUENCE { 1542 attrType ATTRIBUTE.&id({ConstraintList}), 1543 attrValues SET SIZE (1..MAX) OF ATTRIBUTE. 1544 &Type({ConstraintList}{@attrType}) } 1546 SupportedConstraints ATTRIBUTE ::= {SignedAttributesSet, ... } 1548 AttrConstraintList ::= SEQUENCE SIZE (1..MAX) OF 1549 Constraint {{ SupportedConstraints }} 1551 NOTE: SignedAttributeSet is updated by this specification. 1553 The SignatureUsage contains a type of CMSContentConstraints. One or 1554 more ContentTypeConstraint MUST appear in CMSContentConstraints. 1556 Within ContentTypeConstraint, the contentType field indicates the 1557 encapsulated content type identifier that can be signed with the 1558 signature key. A particular content type MUST NOT appear more than 1559 once in the list. The CMS protecting content types need not be 1560 included in the list of permitted content types as the use of CMS is 1562 ID NSA's CMS Key Management Attributes October 13, 2015 1564 always authorized (see [RFC6010]). 1566 Within ContentTypeConstraint, the canSource enumeration indicates 1567 whether the signature key can be used to directly sign the indicated 1568 content type. If the ContentTypeConstraint is canSource (the default 1569 value), then the signature key can be used to directly sign the 1570 specified content type. If the ContentTypeConstraint is 1571 cannotSource, then the signature key can only be used with the 1572 specified content type if it encapsulates a signature that was 1573 generated by an originator with a ContentTypeConstraint that is 1574 canSource. 1576 Within ContentTypeList, the attrConstraints OPTIONAL field contains a 1577 sequence of content type specific constraints. If the 1578 attrConstraints field is absent, the signature key can be used to 1579 sign the specified content type, without any further checking. If 1580 the either the attrConstraints field is present, then the signature 1581 key can only be used to sign the specified content type if all of the 1582 constraints for that content type are satisfied. Content type 1583 constraints are checked by matching the attribute values in the 1584 attrConstraint field against the attribute value in the content. The 1585 constraints succeed if the attribute is not present; they fail if the 1586 attribute is present and the value is not one of the values provided 1587 in attrConstraint. 1589 The fields of attrConstraints implement content type-specific 1590 constraints. The attrType field is an AttributeType, which is an 1591 object identifier of a signed attribute carried in the SignerInfo of 1592 the content. The attrValues field provides one or more acceptable 1593 signed attribute values. It is a set of AttributeValue. For a 1594 signed content to satisfy the constraint, the SignerInfo MUST include 1595 a signed attribute of the type identified in the attrType field, and 1596 the signed attribute MUST contain one of the values in the set 1597 carried in attrValues. 1599 Since the signature-usage attribute MUST NOT appear as a signed, 1600 authenticated, authenticated/unprotected, or content attribute, an 1601 asymmetric key package cannot include multiple occurrences of the 1602 signature-usage attribute within the same scope. Receivers MUST 1603 reject any asymmetric key package in which the signature-usage 1604 attribute appears as a signed, authenticated, 1605 authenticated/unprotected, or content attribute. 1607 21. Other Certificate Format 1609 The other-certificate-formats attribute specifies the type, format, 1610 and value of certificates that are not X.509 public key certificates. 1611 Symmetric key packages do not contain any certificates, so the 1613 ID NSA's CMS Key Management Attributes October 13, 2015 1615 other-certificate-formats attribute MUST NOT appear in a symmetric 1616 key package. It SHOULD appear in the attributes field, when the 1617 publicKey field is absent and the certificate format is not X.509. 1618 This attribute MUST NOT appear in an attributes field that includes 1619 the user-certificate attribute from Section 8. The other- 1620 certificate-formats attribute MUST NOT appear as a signed, 1621 authenticated, authenticated/unprotected, or content attribute. 1623 The other-certificate-formats attribute has the following syntax: 1625 aa-otherCertificateFormats ATTRIBUTE ::= { 1626 TYPE CertificateChoices 1627 IDENTIFIED BY id-kma-otherCertFormats } 1629 id-kma-otherCertFormats OBJECT IDENTIFIER ::= { 1630 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1631 dod(2) infosec(1) keying-material-attributes(13) 19 } 1633 CertificateChoices ::= CHOICE { 1634 certificate Certificate, 1635 extendedCertificate [0] IMPLICIT ExtendedCertificate, 1636 -- Obsolete 1637 v1AttrCert [1] IMPLICIT AttributeCertificateV1, 1638 -- Obsolete 1639 v2AttrCert [2] IMPLICIT AttributeCertificateV2, 1640 other [3] IMPLICIT OtherCertificateFormat } 1642 OtherCertificateFormat ::= SEQUENCE { 1643 otherCertFormat OBJECT IDENTIFIER, 1644 otherCert ANY DEFINED BY otherCertFormat } 1646 The other-certificate-formats attribute makes use of the 1647 CertificateChoices field defined in Section 10.2.2 of [RFC5652]. The 1648 certificate, extendedCertificate, and v1AttrCert fields MUST be 1649 omitted. The v2AttrCert field can include Version 2 Attribute 1650 Certificates. The other field can include EFF certificates and other 1651 as-yet undefined certificate formats. 1653 Since the other-certificate-formats attribute MUST NOT appear as a 1654 signed, authenticated, authenticated/unprotected, or content 1655 attribute, an asymmetric key package cannot include multiple 1656 occurrences of the other-certificate-formats attribute within the 1657 same scope. Receivers MUST reject any asymmetric key package in 1658 which the other-certificate-formats attribute appears as a signed, 1659 authenticated, authenticated/unprotected, or content attribute. 1661 22. PKI Path 1662 ID NSA's CMS Key Management Attributes October 13, 2015 1664 The pki-path attribute includes certificates that can aid in the 1665 validation of the certificate carried in the user-certificate 1666 attribute. Symmetric key packages do not contain any certificates, 1667 so the pkiPath attribute MUST NOT appear in a symmetric key package. 1668 It can appear as an asymmetric key, signed, authenticated, 1669 authenticated/unprotected, or content attribute. It can appear in 1670 the attributes field, when the publicKey field is absent and the 1671 certificate format is X.509. This attribute MUST NOT appear in an 1672 AsymmetricKeyPackage that has an other-certificate-formats attribute 1673 in the attributes field. If the pki-path attribute appears as a 1674 signed, authenticated, authenticated/unprotected, or content 1675 attribute, then the value includes certificates that can be used to 1676 construct certification path to all of the keying material within the 1677 content. This attribute MUST be supported. 1679 The syntax is taken from [X.509] but redefined using the ATTRIBUTE 1680 CLASS from [RFC5911]. The pki-path attribute has the following 1681 syntax: 1683 aa-pkiPath ATTRIBUTE ::= { 1684 TYPE PkiPath 1685 IDENTIFIED BY id-at-pkiPath } 1687 id-at-pkiPath OBJECT IDENTIFIER ::= { 1688 joint-iso-itu-t(2) ds(5) attributes(4) 70 } 1690 PkiPath ::= SEQUENCE SIZE (1..MAX) OF Certificate 1692 The first certificate in the sequence is the subject's parent 1693 Certification Authority (CA). The next certificate is that CA's 1694 parent, and so on. The end-entity and Trust Anchor are not included 1695 in this attribute. 1697 Due to multiple layers of encapsulation or the use of content 1698 collections, the pki-path attribute can appear in more than one 1699 location in the overall key package. When the pki-path attribute 1700 appears in more than one location in the overall key package, each 1701 occurrence is evaluated independently. 1703 23. Useful Certificates 1705 The useful-certificates attribute includes certificates that can aid 1706 in the validation of certificates associated with other parties with 1707 whom secure communications are anticipated. It can appear as an 1708 asymmetric key, signed, authenticated, authenticated/unprotected, or 1709 content attribute. For an asymmetric key that has an other- 1710 certificate-formats attribute from Section 21 in the attributes 1711 field, the useful-certificates attribute MUST NOT appear. If the 1713 ID NSA's CMS Key Management Attributes October 13, 2015 1715 useful-certificates attribute appears as a signed, authenticated, 1716 authenticated/unprotected, or content attribute, then the value 1717 includes certificates that may be used to validate certificate of 1718 others the receiver communicates with. This attribute MUST be 1719 supported. 1721 The useful-certificates attribute has the following syntax: 1723 aa-usefulCertificates ATTRIBUTE ::= { 1724 TYPE CertificateSet 1725 IDENTIFIED BY id-kma-usefulCerts } 1727 id-kma-usefulCerts OBJECT IDENTIFIER ::= { 1728 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1729 dod(2) infosec(1) keying-material-attributes(13) 20 } 1731 CertificateSet ::= SET OF CertificateChoices 1733 The useful-certificates attribute makes use of the CertificateSet 1734 field defined in Section 10.2.3 of [RFC5652]. Within the 1735 CertificateChoices field, the extendedCertificate and v1AttrCert 1736 fields MUST always be omitted. If the userCertificate attribute from 1737 Section 8 is included, the other field MUST NOT be present. If the 1738 other-certificate-formats attribute from Section 21 is included, the 1739 certificate field MUST NOT be present. 1741 Due to multiple layers of encapsulation or the use of content 1742 collections, the useful-certificates attribute can appear in more 1743 than one location in the overall key package. When the useful- 1744 certificates attribute appears in more than one location in the 1745 overall key package, each occurrence is evaluated independently. 1747 24. Key Wrap Algorithm 1749 The key-wrap-algorithm attribute identifies a key wrap algorithm with 1750 an algorithm identifier. It can appear as a symmetric key or 1751 symmetric key package attribute. When this attribute is present in 1752 sKeyAttrs, it indicates that the associated sKey field contains a 1753 black key, which is an encrypted key, that that was wrapped by the 1754 identified algorithm. When this attribute is present in 1755 sKeyPkgAttrs, it indicates that every sKey field in that symmetric 1756 key package contains a black key, and that all keys are wrapped by 1757 the same designated algorithm. 1759 The key-wrap-algorithm attribute has the following syntax: 1761 aa-keyWrapAlgorithm ATTRIBUTE ::= { 1762 TYPE AlgorithmIdentifier{KEY-WRAP, {KeyEncryptionAlgorithmSet}} 1764 ID NSA's CMS Key Management Attributes October 13, 2015 1766 IDENTIFIED BY id-kma-keyWrapAlgorithm } 1768 id-kma-keyWrapAlgorithm OBJECT IDENTIFIER ::= { 1769 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1770 dod(2) infosec(1) keying-material-attributes(13) 21 } 1772 KeyEncryptionAlgorithmSet KEY-WRAP ::= { ... } 1774 25. Content Decryption Key Identifier 1776 The content-decryption-key-identifier attribute can appear as an 1777 unprotected attribute as well as a symmetric and symmetric key 1778 package attribute. The attribute's semantics differ based on the 1779 location. 1781 25.1. Content Decryption Key Identifier: Symmetric Key and Symmetric Key 1782 Package 1784 The content-decryption-key-identifier attribute [RFC6032] identifies 1785 the keying material needed to decrypt the sKey. It can appear as a 1786 symmetric key and symmetric key package attribute. If the key-wrap- 1787 algorithm attribute appears in sKeyPkgAttrs, then the corresponding 1788 content-decryption-identifier attribute can appear in either 1789 sKeyPkgAttrs or sKeyAttrs. If the key-wrap-algorithm attribute 1790 appears from Section 24 in sKeyAttrs, then the corresponding content- 1791 decryption-identifier attribute MUST appear in sKeyAttrs. 1793 The content-decryption-key-identifier attribute in included for 1794 convenience: 1796 aa-contentDecryptKeyIdentifier ATTRIBUTE ::= { 1797 TYPE ContentDecryptKeyID 1798 IDENTIFIED BY id-aa-KP-contentDecryptKeyID } 1800 id-aa-KP-contentDecryptKeyID OBJECT IDENTIFIER ::= { 1801 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1802 dod(2) infosec(1) attributes(5) 66 } 1804 ContentDecryptKeyID ::= OCTET STRING 1806 The content decryption key identifier contains an octet string, and 1807 this syntax does not impose any particular structure on the 1808 identifier value. 1810 25.2. Content Decryption Key Identifier: Unprotected 1812 The content-decryption-key-identifier attribute can be used to 1813 identify the keying material that is needed for decryption of the 1815 ID NSA's CMS Key Management Attributes October 13, 2015 1817 EncryptedData content if there is any ambiguity. 1819 The content-decryption-key-identifier attribute syntax is found in 1820 Section 25.1. The content decryption key identifier contains an octet 1821 string, and this syntax does not impose any particular structure on 1822 the identifier value. 1824 Due to multiple layers of encryption, the content-decryption-key- 1825 identifier attribute can appear in more than one location in the 1826 overall key package. When there are multiple occurrences of the 1827 content-decryption-key-identifier attribute, each occurrence is 1828 evaluated independently. Each one is used to identify the needed 1829 keying material for that layer of encryption. 1831 26. Certificate Pointers 1833 The certificate-pointers attribute can be used to reference one or 1834 more certificates that may be helpful in the processing of the 1835 content once it is decrypted. Sometimes certificates are omitted if 1836 they can be easily fetched. However, an intermediary may have better 1837 facilities to perform the fetching than the receiver. The 1838 certificate-pointers attribute may be useful in some environments. 1839 This attribute can appear as an unprotected and an 1840 unauthenticated/unprotected attribute. 1842 The certificate-pointers attribute uses the same syntax and semantics 1843 as the subject information access certificate extension [RFC5280]. 1844 The certificate-pointers attribute has the following syntax: 1846 aa-certificatePointers ATTRIBUTE ::= { 1847 TYPE SubjectInfoAccessSyntax 1848 IDENTIFIED BY id-pe-subjectInfoAccess } 1850 id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { 1851 iso(1) identified-organization(3) dod(6) internet(1) 1852 security(5) mechanisms(5) pkix(7) pe(1) 11 } 1854 SubjectInfoAccessSyntax ::= SEQUENCE SIZE (1..MAX) OF 1855 AccessDescription 1857 AccessDescription ::= SEQUENCE { 1858 accessMethod OBJECT IDENTIFIER, 1859 accessLocation GeneralName } 1861 As specified in [RFC5280], the id-ad-caRepository access method can 1862 be used to point to a repository where a Certification Authority 1863 publishes certificates and Certificate Revocation Lists (CRLs). In 1864 this case, the accessLocation field tells how to access the 1866 ID NSA's CMS Key Management Attributes October 13, 2015 1868 repository. Where the information is available via http, ftp, or 1869 ldap, accessLocation contains a uniform resource identifier (URI). 1870 Where the information is available via the directory access protocol 1871 (dap), accessLocation contains a directory name. 1873 27. CRL Pointers 1875 The CRL-pointers attribute can be used to reference one or more CRLs 1876 that may be helpful in the processing of the content once it is 1877 decrypted. Sometimes CRLs are omitted to conserve space or to ensure 1878 that the most recent CRL is obtained when the certificate is 1879 validated. However, an intermediary may have better facilities to 1880 perform the fetching than the receiver. The CRL-pointers attribute 1881 may be useful in some environments. This attribute can appear as an 1882 unprotected and unauthenticated/unprotected attribute. 1884 The CRL-pointers attribute has the following syntax: 1886 aa-crlPointers ATTRIBUTE ::= { 1887 TYPE GeneralNames 1888 IDENTIFIED BY id-aa-KP-crlPointers } 1890 id-aa-KP-crlPointers OBJECT IDENTIFIER ::= { 1891 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1892 dod(2) infosec(1) attributes(5) 70 } 1894 The CRL-pointers attribute uses the GeneralNames syntax from 1895 [RFC5280]. Each name describes a different mechanism to obtain the 1896 same CRL. Where the information is available via http, ftp, or ldap, 1897 GeneralNames contains a uniform resource identifier (URI). Where the 1898 information is available via the directory access protocol (dap), 1899 GeneralNames contains a directory name. 1901 28. Key Package Identifier and Receipt Request 1903 The Key Package Identifier and Receipt Request attribute from 1904 [RFC7191] is also supported. It can appear as a signed attribute, 1905 authenticated, authenticated/unprotected, or content attribute. 1907 29. Additional Error Codes 1909 This specification also defines three additional extendedErrorCodes 1910 [RFC7191]: 1912 id-errorCodes OBJECT IDENTIFIER ::= { 1913 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1914 dod(2) infosec(1) errorCodes(22) } 1916 ID NSA's CMS Key Management Attributes October 13, 2015 1918 id-missingKeyType OBJECT IDENTIFIER ::= { 1919 id-errorCodes 1 } 1921 id-privacyMarkTooLong OBJECT IDENTIFIER ::= { 1922 id-errorCodes 2 } 1924 id-unrecognizedSecurityPolicy OBJECT IDENTIFIER ::= { 1925 id-errorCodes 3 } 1927 id-incorrectKeyProvince OBJECT IDENTIFIER ::= { 1928 id-errorCodes 4 } 1930 missingKeyType indicates that all keying material within a package is 1931 of the same type; however, the key type attribute is not specified in 1932 sKeyPkgAttrs [RFC6031]. 1934 privacyMarkTooLong indicates that a classification attribute includes 1935 a privacy mark that exceeds 128 characters in length. 1937 unrecognizedSecurityPolicy indicates that a security-policy- 1938 identifier is not supported. 1940 incorrectKeyProvince indicates that the value of the key province 1941 attribute in a key package does not match the key province constraint 1942 of the TA used to validate the key package. 1944 30. Processing Key Package Attribute Values and CMS Content Constraints 1946 Trust anchors may contain constraints for any content type [RFC5934]. 1947 When the trust anchor contains constraints for the symmetric key 1948 package content type or the asymmetric key package content type, then 1949 the constraints provide default values for key package attributes 1950 that are not present in the key package and define the set of 1951 acceptable values for key package attributes that are present. 1953 When a trust anchor delegates authority by issuing an X.509 1954 certificate, the CMS content constraints certificate extension 1955 [RFC6010] may be included to constrain the authorizations. The trust 1956 anchor and the X.509 certification path provide default values for 1957 key package attributes that are not present in the key package and 1958 define the set of acceptable of values for key package attributes 1959 that are present. 1961 Constraints on content type usage are represented as attributes. 1963 The processing procedures for the CMS content constraints certificate 1964 extension [RFC6010] are part of the validation of a signed or 1966 ID NSA's CMS Key Management Attributes October 13, 2015 1968 authenticated object, and the procedures yield three output values: 1969 cms_constraints, cms_effective_attributes, and 1970 cms_default_attributes. Object validation MUST be performed before 1971 processing the key package contents, and these outputs values are 1972 used as part of key package processing. These same output values are 1973 easily generated directly from a trust anchor and the key package 1974 when no X.509 certification path is involved in validation. 1976 The cms_effective_attributes provides the set of acceptable values 1977 for attributes. Each attribute present in the key package that 1978 corresponds to an entry in cms_effective_attributes MUST contain a 1979 value that appears in cms_effective_attributes entry. Attributes 1980 that do not correspond to an entry in cms_effective_attributes are 1981 unconstrained and may contain any value. Correspondence between 1982 attributes and cms_effective_attributes is determined by comparing 1983 the attribute object identifier to object identifier for each entry 1984 in cms_effective_attributes. 1986 The cms_default_attributes provides values for attributes that do not 1987 appear in the key package. If cms_default_attributes includes only 1988 one attribute value for a particular attribute, then that value is 1989 used as if it were included in the key package itself. However, if 1990 cms_default_attributes includes more than one value for a particular 1991 attribute, then the appropriate value remains ambiguous and the key 1992 package should be rejected. 1994 Some attributes can appear in more than one place in the key package, 1995 and for this reason, the attribute definitions include consistency 1996 checks. These checks are independent of constraints checking. In 1997 addition to the consistency checks, each instance of the attribute 1998 MUST be checked against the set of cms_effective_attributes, and the 1999 key package MUST be rejected if any of the attributes values are not 2000 in the set of authorized set of values. 2002 31. Attribute Scope 2004 This section provides an example symmetric key package in order to 2005 provide a discussion of the scope of attributes. This is an 2006 informative section; it is not a normative portion of this 2007 specification. Figure 1 provides the example. All of the concepts 2008 apply to either a symmetric key package or an asymmetric key package, 2009 with the exception of the key-algorithm attribute which is only 2010 applicable to a symmetric key package. Each of the components is 2011 labeled with a number inside parentheses for easy reference: 2013 o (1) is the ContentInfo that must be present as the outermost 2014 layer of encapsulation. It contains no attributes. It is shown 2015 for completeness. 2017 ID NSA's CMS Key Management Attributes October 13, 2015 2019 o (2) is a SignedData content type, which includes six signed 2020 attributes. Four of the signed attributes are keying material 2021 attributes. 2023 o (3) is a ContentCollection that includes two encapsulated content 2024 types: a ContentWithAttributes and an EncryptedKeyPackage. This 2025 content type does not provide any attributes. 2027 o (4) is a ContentWithAttributes content type. It encapsulates a 2028 SignedData content type. Four key material attributes are 2029 provided. 2031 o (5) is a SignedData content type. It encapsulates a 2032 SymmetricKeyPackage content type. Six signed attributes are 2033 provided. Four attributes are key material attributes. 2035 o (6) is a SymmetricKeyPackage content type, and it includes three 2036 key material attributes. Note that the contents of this key 2037 package are not encrypted, but the contents are covered by two 2038 digital signatures. 2040 o (7) is an EncryptedKeyPackage content type. It encapsulates a 2041 SignedData content type. This content type provides one 2042 unprotected attribute. 2044 o (8) is a SignedData content type. It encapsulates a 2045 SymmetricKeyPackage content type. Six signed attributes are 2046 provided. Four attributes are key material attributes. 2048 o (9) is a SymmetricKeyPackage content type, and it includes three 2049 key material attributes. Note that the contents of this key 2050 package are encrypted, and the plaintext keying material is 2051 covered by one digital signature, and the ciphertext keying 2052 material is covered by another digital signature. 2054 SignedData content type (2) includes six signed attributes: 2056 o The content-type attribute contains id-ct-contentCollection to 2057 indicate the type of the encapsulated content, and it has no 2058 further scope. 2060 o The message-digest attribute contains the one-way hash value of 2061 the encapsulated content; it is needed to validate the digital 2062 signature. It has no further scope. 2064 o The classification attribute contains security label for all of 2065 the plaintext in the encapsulated content. Each classification 2066 attribute is evaluated separately; it has no further scope. In 2068 ID NSA's CMS Key Management Attributes October 13, 2015 2070 general, the values of this attribute will match or dominate the 2071 security label values in (4), (5), and (6). The value of this 2072 attribute might not match or dominate the security label values 2073 in (8) and (9) since they are encrypted. It is possible that 2074 these various security label values are associated with different 2075 security policies. Comparison is not required in order to avoid 2076 the processing complexity associated with policy mapping. 2078 o The key-package-receivers-v2 attribute indicates the authorized 2079 key package receivers, and it has no further scope. The key- 2080 package-receivers-v2 attribute value within (4) is evaluated 2081 without regard to the value of this attribute. 2083 o The key-distribution-period attribute contains two date values: 2084 doNotDistBefore and doNotDistAfter. These values must match all 2085 others within the same scope, which in this example is the key- 2086 distribution-period within (4). 2088 o The key-package-type attributes indicates the format of the key 2089 package, and it has no further scope. The key-package-type 2090 attributes values within (5) and (8) are evaluated without regard 2091 to the value of this attribute. 2093 ContentWithAttributes content type (4) includes four attributes: 2095 o The classification attribute contains security label for all of 2096 the plaintext in the encapsulated content. Each classification 2097 attribute is evaluated separately; it has no further scope. 2099 o The TSEC-Nomenclature attribute includes only the shortTitle 2100 field, and the value must match all other instances within the 2101 same scope, which appear in (5) and (6). Note that the TSEC- 2102 Nomenclature attribute values in (8) and (9) are not in the same 2103 scope as the TSEC-Nomenclature attribute that appears in (4). 2105 o The key-package-receivers-v2 attribute indicates the authorized 2106 key package receivers, and it has no further scope. The key- 2107 package-receivers-v2 attribute value within (2) is evaluated 2108 without regard to the value of this attribute. 2110 o The key-distribution-period attribute contains two date values: 2111 doNotDistBefore and doNotDistAfter. These values must match all 2112 others within the same scope, which in this example is the key- 2113 distribution-period within (2). 2115 SignedData content type (5) includes six signed attributes: 2117 o The content-type attribute contains id-ct-KP-skeyPackage to 2119 ID NSA's CMS Key Management Attributes October 13, 2015 2121 indicate the type of the encapsulated content, and it has no 2122 further scope. 2124 o The message-digest attribute contains the one-way hash value of 2125 the encapsulated content; it is needed to validate the digital 2126 signature. It has no further scope. 2128 o The classification attribute contains security label for all of 2129 the plaintext in the encapsulated content. Each classification 2130 attribute is evaluated separately; it has no further scope. 2132 o The TSEC-Nomenclature attribute includes only the shortTitle 2133 field, and the value must match all other instances within the 2134 same scope, which appear in (6). Since this is within the scope 2135 of (4), these shortTitle field values must match as well. Note 2136 that the TSEC-Nomenclature attribute values in (8) and (9) are 2137 not in the same scope. 2139 o The key-purpose attribute specifies the purpose of the key 2140 material. All occurrences within the scope must have the same 2141 value, but in this example, there are no other occurrences within 2142 the scope. The key-purpose attribute value within (8) is 2143 evaluated without regard to the value of this value. 2145 o The key-package-type attribute indicates the format of the key 2146 package, and it has no further scope. The key-package-type 2147 attribute values within (2) and (8) are evaluated without regard 2148 to the value of this attribute. 2150 SymmetricKeyPackage content type (6) includes three keying material 2151 attributes, which could appear in the sKeyPkgAttrs or sKeyAttrs 2152 fields: 2154 o The key-algorithm attribute includes only the keyAlg field, and 2155 it must match all other occurrences within the same scope. 2156 However, there are no other key-algorithm attribute occurrences 2157 in the same scope; the key-algorithm attribute value in (9) is 2158 not in the same scope. 2160 o The classification attribute contains security label for all of 2161 the plaintext in the key package. Each classification attribute 2162 is evaluated separately; it has no further scope. 2164 o The TSEC-Nomenclature attribute includes the shortTitle field as 2165 well as some of the optional fields. The shortTitle field value 2166 must match the values in (4) and (5), since this content type is 2167 within their scope. Note that the TSEC-Nomenclature attribute 2168 values in (8) and (9) are not in the same scope. 2170 ID NSA's CMS Key Management Attributes October 13, 2015 2172 EncryptedKeyPackage content type (7) includes one unprotected 2173 attribute, and the encryption will prevent any intermediary that does 2174 not have the ability to decrypt the content from making any 2175 consistency checks on (8) and (9): 2177 o The content-decryption-key-identifier attribute identifies the 2178 key that is needed to decrypt the encapsulated content; it has no 2179 further scope. 2181 SignedData content type (8) includes six signed attributes: 2183 o The content-type attribute contains id-ct-KP-skeyPackage to 2184 indicate the type of the encapsulated content, and it has no 2185 further scope. 2187 o The message-digest attribute contains the one-way hash value of 2188 the encapsulated content; it is needed to validate the digital 2189 signature. It has no further scope. 2191 o The classification attribute contains security label for content. 2192 Each classification attribute is evaluated separately; it has no 2193 further scope. 2195 o The TSEC-Nomenclature attribute includes only the shortTitle 2196 field, and the value must match all other instances within the 2197 same scope, which appear in (9). Note that the TSEC-Nomenclature 2198 attribute values in (4), (5), and (6) are not in the same scope. 2200 o The key-purpose attribute specifies the purpose of the key 2201 material. All occurrences within the scope must have the same 2202 value, but in this example, there are no other occurrences within 2203 the scope. The key-purpose attribute value within (5) is 2204 evaluated without regard to the value of this attribute. 2206 o The key-package-type attribute indicates the format of the key 2207 package, and it has no further scope. The key-package-type 2208 attribute values within (2) and (5) are evaluated without regard 2209 to the value of this attribute. 2211 SymmetricKeyPackage content type (9) includes three keying material 2212 attributes, which could appear in the sKeyPkgAttrs or sKeyAttrs 2213 fields: 2215 o The key-algorithm attribute includes only the keyAlg field, and 2216 it must match all other occurrences within the same scope. 2217 However, there are no other key-algorithm attribute occurrences 2218 in the same scope; the key-algorithm attribute value in (6) is 2219 not in the same scope. 2221 ID NSA's CMS Key Management Attributes October 13, 2015 2223 o The classification attribute contains security label for all of 2224 the plaintext in the key package. Each classification attribute 2225 is evaluated separately; it has no further scope. 2227 o The TSEC-Nomenclature attribute includes the shortTitle field as 2228 well as some of the optional fields. The shortTitle field value 2229 must match the values in (8), since this content type is within 2230 its scope. Note that the TSEC-Nomenclature attributes values in 2231 (4), (5), and (6) are not in the same scope. 2233 In summary, the scope of an attribute includes the encapsulated 2234 content of the CMS content type in which it appears, and some 2235 attributes also require consistency checks with other instances that 2236 appear within the encapsulated content. Proper recognition of scope 2237 is required to accurately perform attribute processing. 2239 ID NSA's CMS Key Management Attributes October 13, 2015 2241 +------------------------------------------------------------------+ 2242 | ContentInfo (1) | 2243 |+----------------------------------------------------------------+| 2244 || SignedData (2) || 2245 ||+--------------------------------------------------------------+|| 2246 ||| ContentCollection (3) ||| 2247 |||+-----------------------------++-----------------------------+||| 2248 |||| ContentWithAttributes (4) || EncryptedKeyPackage (7) |||| 2249 ||||+---------------------------+||+---------------------------+|||| 2250 ||||| SignedData (5) |||| SignedData (8) ||||| 2251 |||||+-------------------------+||||+-------------------------+||||| 2252 |||||| SymmetricKeyPackage (6) |||||| SymmetricKeyPackage (9) |||||| 2253 |||||| Attributes: |||||| Attributes: |||||| 2254 |||||| Key Algorithm |||||| Key Algorithm |||||| 2255 |||||| Classification |||||| Classification |||||| 2256 |||||| TSEC-Nomenclature |||||| TSEC-Nomenclature |||||| 2257 |||||+-------------------------+||||+-------------------------+||||| 2258 ||||| Attributes: |||| Attributes: ||||| 2259 ||||| Content Type |||| Content Type ||||| 2260 ||||| Message Digest |||| Message Digest ||||| 2261 ||||| Classification |||| Classification ||||| 2262 ||||| TSEC-Nomenclature |||| TSEC-Nomenclature ||||| 2263 ||||| Key Purpose |||| Key Purpose ||||| 2264 ||||| Key Package Type |||| Key Package Type ||||| 2265 ||||+-------------------------- +||+---------------------------+|||| 2266 |||| Attributes: || Unprotect Attributes: |||| 2267 |||| Classification || Content Decrypt Key ID |||| 2268 |||| TSEC-Nomenclature |+-----------------------------+||| 2269 |||| Key Package Receivers | ||| 2270 |||| Key Distribution Period | ||| 2271 |||+-----------------------------+ ||| 2272 ||+--------------------------------------------------------------+|| 2273 || Attributes: || 2274 || Content Type || 2275 || Message Digest || 2276 || Classification || 2277 || Key Package Receivers || 2278 || Key Distribution Period || 2279 || Key Package Type || 2280 |+----------------------------------------------------------------+| 2281 +------------------------------------------------------------------+ 2283 Figure 1: Example Illustrating Scope of Attributes 2285 32. Security Considerations 2287 The majority of this specification is devoted to the syntax and 2289 ID NSA's CMS Key Management Attributes October 13, 2015 2291 semantics of key package attributes. It relies on other 2292 specifications, especially [RFC2634] [RFC4073] [RFC4108] [RFC5652] 2293 [RFC5911] [RFC5912] [RFC5958] [RFC6010] [RFC6031]; their security 2294 considerations apply here. Additionally, cryptographic algorithms 2295 are used with CMS protecting content types [RFC5959] [RFC6160] 2296 [RFC6162]; their security considerations apply here as well. 2298 This specification also relies upon [RFC5280] for the syntax and 2299 semantics of X.509 certificates. Digital signatures provide data 2300 integrity or data origin authentication, and encryption provides 2301 confidentiality. 2303 Security factors outside the scope of this specification greatly 2304 affect the assurance provided. The procedures used by Certification 2305 Authorities (CAs) to validate the binding of the subject identity to 2306 their public key greatly affect the assurance that ought to be placed 2307 in the certificate. This is particularly important when issuing 2308 certificates to other CAs. 2310 The CMS AuthenticatedData content type MUST be used with care since a 2311 message authentication code (MAC) is used. The same key is needed to 2312 generate the MAC or validate the MAC. Thus, any party with access to 2313 the key needed to validate the MAC can generate a replacement that 2314 will be acceptable to other recipients. 2316 33. IANA Considerations 2318 None. 2320 34. References 2322 34.1 Normative References 2324 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2325 Requirement Levels", BCP 14, RFC 2119, March 1997. 2327 [RFC2634] Hoffman, P., Ed., "Enhanced Security Services for S/MIME", 2328 RFC 2634, June 1999. 2330 [RFC4073] Housley, R., "Protecting Multiple Contents with the 2331 Cryptographic Message Syntax (CMS)", RFC 4073, May 2005. 2333 [RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to 2334 Protect Firmware Packages", RFC 4108, August 2005. 2336 [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) 2337 Authenticated-Enveloped-Data Content Type", RFC 5083, 2338 November 2007. 2340 ID NSA's CMS Key Management Attributes October 13, 2015 2342 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 2343 Housley, R., and W. Polk, "Internet X.509 Public Key 2344 Infrastructure Certificate and Certificate Revocation List 2345 (CRL) Profile", RFC 5280, May 2008. 2347 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 2348 RFC 5652, September 2009. 2350 [RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for 2351 Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911, 2352 June 2010. 2354 [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the 2355 Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, 2356 June 2010. 2358 [RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958, August 2359 2010. 2361 [RFC5959] Turner, S., "Algorithms for Asymmetric Key Package Content 2362 Type", RFC 5959, August 2010. 2364 [RFC6010] Housley, R., Ashmore, S., and C. Wallace, "Cryptographic 2365 Message Syntax (CMS) Content Constraints Extension", 2366 RFC 6010, September 2010. 2368 [RFC6019] Housley, R., "BinaryTime: An Alternate Format for 2369 Representing Date and Time in ASN.1", RFC 6019, September 2370 2010. 2372 [RFC6031] Turner, S. and R. Housley, "Cryptographic Message Syntax 2373 (CMS) Symmetric Key Package Content Type", RFC 6031, 2374 December 2010. 2376 [RFC6032] Turner, S. and R. Housley, "Cryptographic Message Syntax 2377 (CMS) Encrypted Key Package Content Type", RFC 6032, 2378 December 2010. 2380 [RFC6160] Turner, S., "Algorithms for Cryptographic Message Syntax 2381 (CMS) Protection of Symmetric Key Package Content Types", 2382 RFC 6160, April 2011. 2384 [RFC6162] Turner, S., "Elliptic Curve Algorithms for Cryptographic 2385 Message Syntax (CMS) Asymmetric Key Package Content Type", 2386 RFC 6162, April 2011. 2388 [RFC6268] Schaad, J. and S. Turner, "Additional New ASN.1 Modules 2389 for the Cryptographic Message Syntax (CMS) and the Public 2391 ID NSA's CMS Key Management Attributes October 13, 2015 2393 Key Infrastructure Using X.509 (PKIX)", RFC 6268, July 2394 2011. 2396 [RFC7191] Housley, R., "Cryptographic Message Syntax (CMS) Key 2397 Package Receipt and Error Content Types", RFC 7191, April 2398 2014. 2400 [X.509] ITU-T Recommendation X.509 (2005) | ISO/IEC 9594-8:2005, 2401 Information technology - Open Systems Interconnection - 2402 The Directory: Public-key and attribute certificate 2403 frameworks. 2405 [X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002. 2406 Information Technology - Abstract Syntax Notation One. 2408 [X.681] ITU-T Recommendation X.681 (2002) | ISO/IEC 8824-2:2002. 2409 Information Technology - Abstract Syntax Notation One: 2410 Information Object Specification. 2412 [X.682] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824-3:2002. 2413 Information Technology - Abstract Syntax Notation One: 2414 Constraint Specification. 2416 [X.683] ITU-T Recommendation X.683 (2002) | ISO/IEC 8824-4:2002. 2417 Information Technology - Abstract Syntax Notation One: 2418 Parameterization of ASN.1 Specifications. 2420 [X.690] ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002. 2421 Information Technology - ASN.1 encoding rules: 2422 Specification of Basic Encoding Rules (BER), Canonical 2423 Encoding Rules (CER) and Distinguished Encoding Rules 2424 (DER). 2426 34.2 Informative References 2428 [RFC5934] Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor 2429 Management Protocol (TAMP)", RFC 5934, August 2010. 2431 [X.411] ITU-T Recommendation X.411 (1988) | ISO/IEC 10021-4:1988, 2432 Data Communication Networks Message Handling Systems - 2433 Message Transfer System - Abstract Service Definition and 2434 Procedures. 2436 ID NSA's CMS Key Management Attributes October 13, 2015 2438 Appendix A. ASN.1 Module 2440 KMAttributes2012 2441 { joint-iso-itu-t(2) country(16) us(840) organization(1) 2442 gov(101) dod(2) infosec(1) modules(0) 39 } 2444 DEFINITIONS IMPLICIT TAGS ::= 2446 BEGIN 2448 -- EXPORT ALL 2450 IMPORTS 2452 -- From [RFC5911] 2454 aa-communityIdentifiers, CommunityIdentifier 2455 FROM CMSFirmwareWrapper-2009 2456 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2457 smime(16) modules(0) id-mod-cms-firmware-wrap-02(40) } 2459 -- From [RFC5911] 2461 aa-contentHint, ESSSecurityLabel, id-aa-securityLabel 2462 FROM ExtendedSecurityServices-2009 2463 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2464 smime(16) modules(0) id-mod-ess-2006-02(42) } 2466 -- From [RFC5911] [RFC5912] 2468 AlgorithmIdentifier{}, SMIME-CAPS, ParamOptions, KEY-WRAP 2469 FROM AlgorithmInformation-2009 2470 { iso(1) identified-organization(3) dod(6) internet(1) 2471 security(5) mechanisms(5) pkix(7) id-mod(0) 2472 id-mod-algorithmInformation-02(58) } 2474 -- From [RFC5912] 2476 Name, Certificate 2477 FROM PKIX1Explicit-2009 2478 { iso(1) identified-organization(3) dod(6) internet(1) 2479 security(5) mechanisms(5) pkix(7) id-mod(0) 2480 id-mod-pkix1-explicit-02(51) } 2482 ID NSA's CMS Key Management Attributes October 13, 2015 2484 -- From [RFC5912] 2486 GeneralNames, SubjectInfoAccessSyntax, id-pe-subjectInfoAccess 2487 FROM PKIX1Implicit-2009 2488 { iso(1) identified-organization(3) dod(6) internet(1) 2489 security(5) mechanisms(5) pkix(7) id-mod(0) 2490 id-mod-pkix1-implicit-02(59) } 2492 -- FROM [RFC5912] 2494 ATTRIBUTE 2495 FROM PKIX-CommonTypes-2009 2496 { iso(1) identified-organization(3) dod(6) internet(1) 2497 security(5) mechanisms(5) pkix(7) id-mod(0) 2498 id-mod-pkixCommon-02(57) } 2500 -- From [RFC6010] 2502 CMSContentConstraints 2503 FROM CMSContentConstraintsCertExtn 2504 { iso(1) identified-organization(3) dod(6) internet(1) 2505 security(5) mechanisms(5) pkix(7) id-mod(0) 2506 cmsContentConstr-93(42) } 2508 -- From [RFC6268] 2510 aa-binarySigningTime, BinaryTime 2511 FROM BinarySigningTimeModule-2010 2512 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2513 smime(16) modules(0) id-mod-binSigningTime-2009(55) } 2515 -- From [RFC6268] 2517 CertificateChoices, CertificateSet, Attribute {}, 2518 aa-contentType, aa-messageDigest 2519 FROM CryptographicMessageSyntax-2010 2520 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2521 smime(16) modules(0) id-mod-cms-2009(58) } 2523 -- From [RFC7191] 2525 aa-keyPackageIdentifierAndReceiptRequest, SIREntityName 2526 FROM KeyPackageReceiptAndErrorModuleV2 2527 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2528 smime(16) modules(0) id-mod-keyPkgReceiptAndErrV2(63) } 2530 ID NSA's CMS Key Management Attributes October 13, 2015 2532 -- From [X.509] 2534 certificateExactMatch 2535 FROM CertificateExtensions 2536 { joint-iso-itu-t ds(5) module(1) certificateExtensions(26) 4 } 2538 ; 2540 -- ATTRIBUTES 2542 -- Replaces SignedAttributesSet information object set from 2543 -- [RFC6268]. 2545 SignedAttributesSet ATTRIBUTE ::= { 2546 aa-contentType | 2547 aa-messageDigest | 2548 aa-contentHint | 2549 aa-communityIdentifiers | 2550 aa-binarySigningTime | 2551 aa-keyProvince-v2 | 2552 aa-keyPackageIdentifierAndReceiptRequest | 2553 aa-manifest | 2554 aa-keyAlgorithm | 2555 aa-userCertificate | 2556 aa-keyPackageReceivers-v2 | 2557 aa-tsecNomenclature | 2558 aa-keyPurpose | 2559 aa-keyUse | 2560 aa-transportKey | 2561 aa-keyDistributionPeriod | 2562 aa-keyValidityPeriod | 2563 aa-keyDurationPeriod | 2564 aa-classificationAttribute | 2565 aa-keyPackageType | 2566 aa-pkiPath | 2567 aa-usefulCertificates, 2568 ... } 2570 -- Replaces UnsignedAttributes from [RFC6268]. 2572 UnsignedAttributes ATTRIBUTE ::= { 2573 ... 2574 } 2576 ID NSA's CMS Key Management Attributes October 13, 2015 2578 -- Replaces UnprotectedEnvAttributes from [RFC6268]. 2580 UnprotectedEnvAttributes ATTRIBUTE ::= { 2581 aa-contentDecryptKeyIdentifier | 2582 aa-certificatePointers | 2583 aa-cRLDistributionPoints, 2584 ... 2585 } 2587 -- Replaces UnprotectedEncAttributes from [RFC6268]. 2589 UnprotectedEncAttributes ATTRIBUTE ::= { 2590 aa-certificatePointers | 2591 aa-cRLDistributionPoints, 2592 ... 2593 } 2595 -- Replaces AuthAttributeSet from [RFC6268] 2597 AuthAttributeSet ATTRIBUTE ::= { 2598 aa-contentType | 2599 aa-messageDigest | 2600 aa-contentHint | 2601 aa-communityIdentifiers | 2602 aa-keyProvice-v2 | 2603 aa-binarySigningTime | 2604 aa-keyPackageIdentifierAndReceiptRequest | 2605 aa-manifest | 2606 aa-keyAlgorithm | 2607 aa-userCertificate | 2608 aa-keyPackageReceivers-v2 | 2609 aa-tsecNomenclature | 2610 aa-keyPurpose | 2611 aa-keyUse | 2612 aa-transportKey | 2613 aa-keyDistributionPeriod | 2614 aa-keyValidityPeriod | 2615 aa-keyDurationPeriod | 2616 aa-classificationAttribute | 2617 aa-keyPackageType | 2618 aa-pkiPath | 2619 aa-usefulCertificates, 2620 ... } 2622 ID NSA's CMS Key Management Attributes October 13, 2015 2624 -- Replaces UnauthAttributeSet from [RFC6268] 2626 UnauthAttributeSet ATTRIBUTE ::= { 2627 ... 2628 } 2630 -- Replaces AuthEnvDataAttributeSet from [RFC6268] 2632 AuthEnvDataAttributeSet ATTRIBUTE ::= { 2633 aa-certificatePointers | 2634 aa-cRLDistributionPoints, 2635 ... 2636 } 2638 -- Replaces UnauthEnvDataAttributeSet from [RFC6268] 2640 UnauthEnvDataAttributeSet ATTRIBUTE ::= { 2641 ... 2642 } 2644 -- Replaces OneAsymmetricKeyAttributes from [RFC5958] 2646 OneAsymmetricKeyAttributes ATTRIBUTE ::= { 2647 aa-userCertificate | 2648 aa-tsecNomenclature | 2649 aa-keyPurpose | 2650 aa-keyUse | 2651 aa-transportKey | 2652 aa-keyDistributionPeriod | 2653 aa-keyValidityPeriod | 2654 aa-keyDurationPeriod | 2655 aa-classificationAttribute | 2656 aa-splitIdentifier | 2657 aa-signatureUsage-v3 | 2658 aa-otherCertificateFormats | 2659 aa-pkiPath | 2660 aa-usefulCertificates, 2661 ... } 2663 ID NSA's CMS Key Management Attributes October 13, 2015 2665 -- Replaces SKeyPkgAttributes from [RFC6031] 2667 SKeyPkgAttributes ATTRIBUTE ::= { 2668 aa-keyAlgorithm | 2669 aa-tsecNomenclature | 2670 aa-keyPurpose | 2671 aa-keyUse | 2672 aa-keyDistributionPeriod | 2673 aa-keyValidityPeriod | 2674 aa-keyDurationPeriod | 2675 aa-classificationAttribute | 2676 aa-keyWrapAlgorithm | 2677 aa-contentDecryptKeyIdentifier, 2678 ... } 2680 -- Replaces SKeyAttributes from [RFC6031] 2682 SKeyAttributes ATTRIBUTE ::= { 2683 aa-keyAlgorithm | 2684 aa-tsecNomenclature | 2685 aa-keyPurpose | 2686 aa-keyUse | 2687 aa-keyDistributionPeriod | 2688 aa-keyValidityPeriod | 2689 aa-keyDurationPeriod | 2690 aa-classificationAttribute | 2691 aa-splitIdentifier | 2692 aa-keyWrapAlgorithm | 2693 aa-contentDecryptKeyIdentifier, 2694 ... } 2696 ID NSA's CMS Key Management Attributes October 13, 2015 2698 -- Replaces ContentAttributeSet from [RFC6268] 2700 ContentAttributeSet ATTRIBUTE ::= { 2701 aa-communityIdentifiers | 2702 aa-keyPackageIdentifierAndReceiptRequest | 2703 aa-keyAlgorithm | 2704 aa-keyPackageReceivers-v2 | 2705 aa-tsecNomenclature | 2706 aa-keyPurpose | 2707 aa-keyUse | 2708 aa-transportKey | 2709 aa-keyDistributionPeriod | 2710 aa-transportKey | 2711 aa-keyDistributionPeriod | 2712 aa-keyValidityPeriod | 2713 aa-keyDurationPeriod | 2714 aa-classificationAttribute | 2715 aa-keyPackageType | 2716 aa-pkiPath | 2717 aa-usefulCertificates, 2718 ... } 2720 -- Content Type, Message Digest, and Content Hint, and Binary Signing 2721 -- Time are imported from [RFC6268]. 2722 -- Community Identifiers is imported from [RFC5911]. 2724 -- Key Province 2726 aa-keyProvince-v2 ATTRIBUTE ::= { 2727 TYPE KeyProvinceV2 2728 IDENTIFIED BY id-aa-KP-keyProvinceV2 } 2730 id-aa-KP-keyProvinceV2 OBJECT IDENTIFIER ::= 2731 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 2732 dod(2) infosec(1) attributes(5) 71 } 2734 KeyProvinceV2 ::= OBJECT IDENTIFIER 2736 -- Manifest Attribute 2738 aa-manifest ATTRIBUTE ::= { 2739 TYPE Manifest 2740 IDENTIFIED BY id-aa-KP-manifest } 2742 id-aa-KP-manifest OBJECT IDENTIFIER ::= 2743 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 2744 dod(2) infosec(1) attributes(5) 72 } 2746 ID NSA's CMS Key Management Attributes October 13, 2015 2748 Manifest ::= SEQUENCE SIZE (1..MAX) OF ShortTitle 2750 -- Key Algorithm Attribute 2752 aa-keyAlgorithm ATTRIBUTE ::= { 2753 TYPE KeyAlgorithm 2754 IDENTIFIED BY id-kma-keyAlgorithm } 2756 id-kma-keyAlgorithm OBJECT IDENTIFIER ::= 2757 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 2758 dod(2) infosec(1) keying-material-attributes(13) 1 } 2760 KeyAlgorithm ::= SEQUENCE { 2761 keyAlg OBJECT IDENTIFIER, 2762 checkWordAlg [1] OBJECT IDENTIFIER OPTIONAL, 2763 crcAlg [2] OBJECT IDENTIFIER OPTIONAL } 2765 -- User Certificate Attribute 2767 aa-userCertificate ATTRIBUTE ::= { 2768 TYPE Certificate 2769 EQUALITY MATCHING RULE certificateExactMatch 2770 IDENTIFIED BY id-at-userCertificate } 2772 id-at-userCertificate OBJECT IDENTIFIER ::= 2773 { joint-iso-itu-t(2) ds(5) attributes(4) 36 } 2775 -- Key Package Receivers Attribute 2777 aa-keyPackageReceivers-v2 ATTRIBUTE ::= { 2778 TYPE KeyPkgReceiversV2 2779 IDENTIFIED BY id-kma-keyPkgReceiversV2 } 2781 id-kma-keyPkgReceiversV2 OBJECT IDENTIFIER ::= 2782 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 2783 dod(2) infosec(1) keying-material-attributes(13) 16 } 2785 KeyPkgReceiversV2 ::= SEQUENCE SIZE (1..MAX) OF KeyPkgReceiver 2787 KeyPkgReceiver ::= CHOICE { 2788 sirEntity [0] SIREntityName, 2789 community [1] CommunityIdentifier } 2791 ID NSA's CMS Key Management Attributes October 13, 2015 2793 -- TSEC Nomenclature Attribute 2795 aa-tsecNomenclature ATTRIBUTE ::= { 2796 TYPE TSECNomenclature 2797 IDENTIFIED BY id-kma-TSECNomenclature } 2799 id-kma-TSECNomenclature OBJECT IDENTIFIER ::= 2800 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 2801 dod(2) infosec(1) keying-material-attributes(13) 3 } 2803 TSECNomenclature ::= SEQUENCE { 2804 shortTitle ShortTitle, 2805 editionID EditionID OPTIONAL, 2806 registerID RegisterID OPTIONAL, 2807 segmentID SegmentID OPTIONAL } 2809 ShortTitle ::= PrintableString 2811 EditionID ::= CHOICE { 2812 char CHOICE { 2813 charEdition [1] CharEdition, 2814 charEditionRange [2] CharEditionRange }, 2815 num CHOICE { 2816 numEdition [3] NumEdition, 2817 numEditionRange [4] NumEditionRange } } 2819 CharEdition ::= PrintableString 2821 CharEditionRange ::= SEQUENCE { 2822 firstCharEdition CharEdition, 2823 lastCharEdition CharEdition } 2825 NumEdition ::= INTEGER (0..308915776) 2827 NumEditionRange ::= SEQUENCE { 2828 firstNumEdition NumEdition, 2829 lastNumEdition NumEdition } 2831 RegisterID ::= CHOICE { 2832 register [5] Register, 2833 registerRange [6] RegisterRange } 2835 Register ::= INTEGER (0..2147483647) 2837 RegisterRange ::= SEQUENCE { 2838 firstRegister Register, 2839 lastRegister Register } 2841 ID NSA's CMS Key Management Attributes October 13, 2015 2843 SegmentID ::= CHOICE { 2844 segmentNumber [7] SegmentNumber, 2845 segmentRange [8] SegmentRange } 2847 SegmentNumber ::= INTEGER (1..127) 2849 SegmentRange ::= SEQUENCE { 2850 firstSegment SegmentNumber, 2851 lastSegment SegmentNumber } 2853 -- Key Purpose Attribute 2855 aa-keyPurpose ATTRIBUTE ::= { 2856 TYPE KeyPurpose 2857 IDENTIFIED BY id-kma-keyPurpose } 2859 id-kma-keyPurpose OBJECT IDENTIFIER ::= 2860 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 2861 dod(2) infosec(1) keying-material-attributes(13) 13 } 2863 KeyPurpose ::= ENUMERATED { 2864 n-a (0), -- Not Applicable 2865 a (65), -- Operational 2866 b (66), -- Compatible Multiple Key 2867 l (76), -- Logistics Combinations 2868 m (77), -- Maintenance 2869 r (82), -- Reference 2870 s (83), -- Sample 2871 t (84), -- Training 2872 v (86), -- Developmental 2873 x (88), -- Exercise 2874 z (90), -- "On the Air" Testing 2875 ... -- Expect additional key purpose values -- } 2877 -- Key Use Attribute 2879 aa-keyUse ATTRIBUTE ::= { 2880 TYPE KeyUse 2881 IDENTIFIED BY id-kma-keyUse } 2883 id-kma-keyUse OBJECT IDENTIFIER ::= 2884 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 2885 dod(2) infosec(1) keying-material-attributes(13) 14 } 2887 ID NSA's CMS Key Management Attributes October 13, 2015 2889 KeyUse ::= ENUMERATED { 2890 n-a (0), -- Not Applicable 2891 ffk (1), -- FIREFLY/CROSSTALK Key (Basic Format) 2892 kek (2), -- Key Encryption Key 2893 kpk (3), -- Key Production Key 2894 msk (4), -- Message Signature Key 2895 qkek (5), -- QUADRANT Key Encryption Key 2896 tek (6), -- Traffic Encryption Key 2897 tsk (7), -- Transmission Security Key 2898 trkek (8), -- Transfer Key Encryption Key 2899 nfk (9), -- Netted FIREFLY Key 2900 effk (10), -- FIREFLY Key (Enhanced Format) 2901 ebfk (11), -- FIREFLY Key (Enhanceable Basic Format) 2902 aek (12), -- Algorithm Encryption Key 2903 wod (13), -- Word of Day 2904 kesk (246), -- Key Establishment Key 2905 eik (247), -- Entity Identification Key 2906 ask (248), -- Authority Signature Key 2907 kmk (249), -- Key Modifier Key 2908 rsk (250), -- Revocation Signature Key 2909 csk (251), -- Certificate Signature Key 2910 sak (252), -- Symmetric Authentication Key 2911 rgk (253), -- Random Generation Key 2912 cek (254), -- Certificate Encryption Key 2913 exk (255), -- Exclusion Key 2914 ... -- Expect additional key use values -- } 2916 -- Transport Key Attribute 2918 aa-transportKey ATTRIBUTE ::= { 2919 TYPE TransOp 2920 IDENTIFIED BY id-kma-transportKey } 2922 id-kma-transportKey OBJECT IDENTIFIER ::= 2923 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 2924 dod(2) infosec(1) keying-material-attributes(13) 15 } 2926 TransOp ::= ENUMERATED { 2927 transport (1), 2928 operational (2) } 2930 -- Key Distribution Period Attribute 2932 aa-keyDistributionPeriod ATTRIBUTE ::= { 2933 TYPE KeyDistPeriod 2934 IDENTIFIED BY id-kma-keyDistPeriod } 2936 ID NSA's CMS Key Management Attributes October 13, 2015 2938 id-kma-keyDistPeriod OBJECT IDENTIFIER ::= 2939 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 2940 dod(2) infosec(1) keying-material-attributes(13) 5 } 2942 KeyDistPeriod ::= SEQUENCE { 2943 doNotDistBefore [0] BinaryTime OPTIONAL, 2944 doNotDistAfter BinaryTime } 2946 -- Key Validity Period Attribute 2948 aa-keyValidityPeriod ATTRIBUTE ::= { 2949 TYPE KeyValidityPeriod 2950 IDENTIFIED BY id-kma-keyValidityPeriod } 2952 id-kma-keyValidityPeriod OBJECT IDENTIFIER ::= 2953 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 2954 dod(2) infosec(1) keying-material-attributes(13) 6 } 2956 KeyValidityPeriod ::= SEQUENCE { 2957 doNotUseBefore BinaryTime, 2958 doNotUseAfter BinaryTime OPTIONAL } 2960 -- Key Duration Attribute 2962 aa-keyDurationPeriod ATTRIBUTE ::= { 2963 TYPE KeyDuration 2964 IDENTIFIED BY id-kma-keyDuration } 2966 id-kma-keyDuration OBJECT IDENTIFIER ::= 2967 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 2968 dod(2) infosec(1) keying-material-attributes(13) 7 } 2970 KeyDuration ::= CHOICE { 2971 hours [0] INTEGER (1..ub-KeyDuration-hours), 2972 days INTEGER (1..ub-KeyDuration-days), 2973 weeks [1] INTEGER (1..ub-KeyDuration-weeks), 2974 months [2] INTEGER (1..ub-KeyDuration-months), 2975 years [3] INTEGER (1..ub-KeyDuration-years) } 2977 ub-KeyDuration-hours INTEGER ::= 96 2978 ub-KeyDuration-days INTEGER ::= 732 2979 ub-KeyDuration-weeks INTEGER ::= 104 2980 ub-KeyDuration-months INTEGER ::= 72 2981 ub-KeyDuration-years INTEGER ::= 100 2983 ID NSA's CMS Key Management Attributes October 13, 2015 2985 -- Classification Attribute 2987 -- The attribute syntax is imported from [RFC6268]. The term 2988 -- "classification" is used in this document, but the term "security 2989 -- label" is used in [RFC2634]. The terms have the same meaning. 2991 aa-classificationAttribute ATTRIBUTE ::= { 2992 TYPE Classification 2993 IDENTIFIED BY id-aa-KP-classification } 2995 id-aa-KP-classification OBJECT IDENTIFIER ::= id-aa-securityLabel 2997 Classification ::= ESSSecurityLabel 2999 id-enumeratedRestrictiveAttributes OBJECT IDENTIFIER ::= 3000 { 2 16 840 1 101 2 1 8 3 4 } 3002 id-enumeratedPermissiveAttributes OBJECT IDENTIFIER ::= 3003 { 2 16 840 1 101 2 1 8 3 1 } 3005 EnumeratedTag ::= SEQUENCE { 3006 tagName OBJECT IDENTIFIER, 3007 attributeList SET OF SecurityAttribute } 3009 SecurityAttribute ::= INTEGER (0..MAX) 3011 -- Split Identifier Attribute 3013 aa-splitIdentifier ATTRIBUTE ::= { 3014 TYPE SplitID 3015 IDENTIFIED BY id-kma-splitID } 3017 id-kma-splitID OBJECT IDENTIFIER ::= 3018 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 3019 dod(2) infosec(1) keying-material-attributes(13) 11 } 3021 SplitID ::= SEQUENCE { 3022 half ENUMERATED { a(0), b(1) }, 3023 combineAlg AlgorithmIdentifier 3024 {COMBINE-ALGORITHM, {CombineAlgorithms}} OPTIONAL } 3026 ID NSA's CMS Key Management Attributes October 13, 2015 3028 COMBINE-ALGORITHM ::= CLASS { 3029 &id OBJECT IDENTIFIER UNIQUE, 3030 &Params OPTIONAL, 3031 ¶mPresence ParamOptions DEFAULT absent, 3032 &smimeCaps SMIME-CAPS OPTIONAL 3033 } 3034 WITH SYNTAX { 3035 IDENTIFIER &id 3036 [PARAMS [TYPE &Params] ARE ¶mPresence] 3037 [SMIME-CAPS &smimeCaps] 3038 } 3040 CombineAlgorithms COMBINE-ALGORITHM ::= { 3041 ... 3042 } 3044 -- Key Package Type Attribute 3046 aa-keyPackageType ATTRIBUTE ::= { 3047 TYPE KeyPkgType 3048 IDENTIFIED BY id-kma-keyPkgType } 3050 id-kma-keyPkgType OBJECT IDENTIFIER ::= 3051 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 3052 dod(2) infosec(1) keying-material-attributes(13) 12 } 3054 KeyPkgType ::= OBJECT IDENTIFIER 3056 -- Signature Usage Attribute 3058 aa-signatureUsage-v3 ATTRIBUTE ::= { 3059 TYPE SignatureUsage 3060 IDENTIFIED BY id-kma-sigUsageV3 } 3062 id-kma-sigUsageV3 OBJECT IDENTIFIER ::= 3063 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 3064 dod(2) infosec(1) keying-material-attributes(13) 22 } 3066 SignatureUsage ::= CMSContentConstraints 3068 -- Other Certificate Format Attribute 3070 aa-otherCertificateFormats ATTRIBUTE ::= { 3071 TYPE CertificateChoices 3072 IDENTIFIED BY id-kma-otherCertFormats } 3074 ID NSA's CMS Key Management Attributes October 13, 2015 3076 id-kma-otherCertFormats OBJECT IDENTIFIER ::= 3077 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 3078 dod(2) infosec(1) keying-material-attributes(13) 19 } 3080 -- PKI Path Attribute 3082 aa-pkiPath ATTRIBUTE ::= { 3083 TYPE PkiPath 3084 IDENTIFIED BY id-at-pkiPath } 3086 id-at-pkiPath OBJECT IDENTIFIER ::= 3087 { joint-iso-itu-t(2) ds(5) attributes(4) 70 } 3089 PkiPath ::= SEQUENCE SIZE (1..MAX) OF Certificate 3091 -- Useful Certificates Attribute 3093 aa-usefulCertificates ATTRIBUTE ::= { 3094 TYPE CertificateSet 3095 IDENTIFIED BY id-kma-usefulCerts } 3097 id-kma-usefulCerts OBJECT IDENTIFIER ::= 3098 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 3099 dod(2) infosec(1) keying-material-attributes(13) 20 } 3101 -- Key Wrap Attribute 3103 aa-keyWrapAlgorithm ATTRIBUTE ::= { 3104 TYPE AlgorithmIdentifier{KEY-WRAP, {KeyEncryptionAlgorithmSet}} 3105 IDENTIFIED BY id-kma-keyWrapAlgorithm } 3107 id-kma-keyWrapAlgorithm OBJECT IDENTIFIER ::= 3108 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 3109 dod(2) infosec(1) keying-material-attributes(13) 21 } 3111 KeyEncryptionAlgorithmSet KEY-WRAP ::= { ... } 3113 -- Content Decryption Key Identifier Attribute 3115 aa-contentDecryptKeyIdentifier ATTRIBUTE ::= { 3116 TYPE ContentDecryptKeyID 3117 IDENTIFIED BY id-aa-KP-contentDecryptKeyID } 3119 id-aa-KP-contentDecryptKeyID OBJECT IDENTIFIER ::= 3120 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 3121 dod(2) infosec(1) attributes(5) 66 } 3123 ContentDecryptKeyID::= OCTET STRING 3125 ID NSA's CMS Key Management Attributes October 13, 2015 3127 -- Certificate Pointers Attribute 3129 aa-certificatePointers ATTRIBUTE ::= { 3130 TYPE SubjectInfoAccessSyntax 3131 IDENTIFIED BY id-pe-subjectInfoAccess } 3133 -- CRL Pointers Attribute 3135 aa-cRLDistributionPoints ATTRIBUTE ::= { 3136 TYPE GeneralNames 3137 IDENTIFIED BY id-aa-KP-crlPointers } 3139 id-aa-KP-crlPointers OBJECT IDENTIFIER ::= 3140 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 3141 dod(2) infosec(1) attributes (5) 70 } 3143 -- ExtendedErrorCodes 3145 id-errorCodes OBJECT IDENTIFIER ::= 3146 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 3147 dod(2) infosec(1) errorCodes(22) } 3149 id-missingKeyType OBJECT IDENTIFIER ::= { 3150 id-errorCodes 1 } 3152 id-privacyMarkTooLong OBJECT IDENTIFIER ::= { 3153 id-errorCodes 2 } 3155 id-unrecognizedSecurityPolicy OBJECT IDENTIFIER ::= { 3156 id-errorCodes 3 } 3158 END 3160 ID NSA's CMS Key Management Attributes October 13, 2015 3162 Authors' Addresses 3164 Paul Timmel 3165 National Information Assurance Research Laboratory 3166 National Security Agency 3168 Email: pstimme@tycho.ncsc.mil 3170 Russ Housley 3171 Vigil Security, LLC 3172 918 Spring Knoll Drive 3173 Herndon, VA 20170 3174 USA 3176 Email: : housley@vigilsec.com 3178 Sean Turner 3179 IECA, Inc. 3180 3057 Nutley Street, Suite 106 3181 Fairfax, VA 22031 3182 USA 3184 Email: turners@ieca.com